Wednesday, 14 September 2011

Hijacking 2 clicks in Google Accounts

This vulnerability was the same as my previous post but more challenging in terms of exploitation. In this, attacker needs to hijack 2 user clicks to complete the desired action.

It starts with Google Products page where you can remove listed service from Google Accounts.

Once user decided to remove any service, for ex. Google Health, the user is presented with following page.

To remove service, user first needs to click the checkbox. After this only the “Remove Google Health” button will be active which when clicked will remove respective service from Google Account.

To exploit this, I used “Fake Captcha” technique which will successfully hijack required 2 clicks and will remove targeted service.  Here is how the attack page looks like.

This page has an invisible iframe which renders remove service page from Google Accounts. The correct answer, in this case ‘30’, is placed over the checkbox from vulnerable page & ‘Submit Answer’ on ‘Remove Google Health’ button.

When an authenticated user clicks on right answer for the provided arithmetic operation, he/she actually clicking the checkbox which enables “Remove Google Health” button.

Now he/she need to complete the process by submitting the answer. Once clicked on “Submit Answer” button, the targeted service will be removed from his/her Google Accounts.

Remove Google Heath, Remove Google Web History and Remove Orkut were vulnerable to this attack.

Google was very quick to patch this vulnerability.

Hope you enjoyed reading this. Suggestions, comments are welcome.


  1. gr8 post .. thanks for giving insight of click jacking :)

  2. Wow.
    Wont the user be asked the 'conformation to delete' OR to 'login again'?
    This works only if Google account is already logged in right ?

    Nice work.