Google Bug Exposes Private Documents
- By Dawna M. Roberts
- Published: Jan 01, 2021
- Last Updated: Mar 18, 2022
The Hacker News reported this week that a Google bug could have allowed hackers to view and take screenshots of your private documents.
What is Google Docs?
Google is not just a search engine. The company also provides dozens of other digital services, and one of them is collectively called Google Docs. The service mimics Microsoft Office and has a word processing area, a spreadsheet tool, a powerpoint-type program for presentations, and a place where you can create online forms for others to fill out.
A large percentage of the business world uses Google Docs to share, collaborate, and easily store documents in the cloud. Most people trust the service implicitly storing even private and sensitive information there.
What Happened?
Security researcher Sreeram KL discovered the bug on July 9th and received $3,100+ as part of Google’s Vulnerability Reward Program. The bug stemmed from a feedback component that allows users to send information to Google about how the program is working. It also includes the option to send a screenshot along with the message.
This “Send Feedback” option exists across all of Google Docs services, but it comes from their main website using an iFrame. According to The Hacker News, it works by “instead of having to duplicate the same functionality across its services, the feedback feature is deployed in Google’s main website (“www.google.com”) and integrated to other domains via an iframe element that loads the pop-up’s content from “feedback.googleusercontent.com.”
The Technical Details
The Hacker News further explains how the feedback tool works, “This also means that whenever a screenshot of the Google Docs window is included, rendering the image necessitates the transmission of RGB values of every pixel to the parent domain (www.google.com), which then redirects those RGB values to the feedback’s domain, which ultimately constructs the image and sends it back in Base64 encoded format.”
Sreeram, however, identified a bug in the manner these messages were passed to “feedback.googleusercontent.com,” thus allowing an attacker to modify the frame to an arbitrary, external website, and in turn, steal and hijack Google Docs screenshots which were meant to be uploaded to Google’s servers.”
They continued to explain the bug Sreeram found was related to a “lack of X-Frame-Options header in the Google Docs domain.” That allowed hackers to change the target of the message and exploit the content contained with it. Theoretically, a bad actor could take a screenshot of private documents and reroute them to themselves.
The Fix
Anytime a website uses an add-on like an iFrame or pop-up box that feeds information from a different domain, it could expose the website for exploitation.
The Hacker News quoted Mozilla documentation for the fix “Always specify an exact target origin, not *, when you use postMessage to send data to other windows. A malicious site can change the location of the window without your knowledge, and therefore it can intercept the data sent using postMessage.”
The Bottom Line
Google has since patched the bug, and Sreeram was awarded a nice prize for discovering it and reporting it to the search engine giant. Google is widely accepted as a very safe platform, but this lesson shows us that no one is safe from hacking, and no digital online service is exempt from bugs and possible exploitation.
A final warning to users is to never store personal or sensitive information in the cloud. There is always the chance that someone other than your intended recipient could view, steal, or use that information for identity theft or fraud.