A nasty bug that could enable a malicious actor to see the contents of other people’s Google Doc documents has been patched by Google and published now. The exploit lies in the “Send Feedback” feature that allows users to include a screenshot in their feedback report/message. Security researcher “Sreeram KL” has found a way to hijack these screenshots by exploiting a post-message misconfiguration, so he essentially found a way to steal images displaying the contents of other people’s documents.
The researcher realized that there’s a cross-origin communication between the “Send Feedback” iframe loading and the screenshot rendering, so he has determined the post-message and the existence of a base64 encoding involved in the RGB value reconstruction process. The trick was to change the location of the iframe through the “frames.location” parameter and set it to a domain controlled by the attacker (him). Google has several clickjacking protection measures in place, but there is no domain check so the hijacking works.
This was discovered back on July 9, 2020, and reported to Google’s Vulnerability Reward Program. The researcher received a bounty of $3,133.7 for this finding, which is now fixed. If you’re worried about having been exposed to this bug before this summer, you should note that the attack would only work if you actually clicked on the “Send feedback” button. There was no way for this to be a zero-click attack, so leveraging the flaw required some user interaction.
Also, the possibilities of someone having found this bug before the researcher are few, but one cannot rule it out. “Sreeram KL” says the first hunch of looking towards the existence of an XSS flaw that would enable a hacker to hijack the RBG values of pixels and allow them to reconstruct the screenshot on their machine leads nowhere. Possibly, many hackers stopped at this step and given up trying.
Google Docs is a cloud service, and as such, you shouldn’t use it to store or share very sensitive information. There’s always the likelihood of something leaking or being stealthily accessible to others. Features like “Send Feedback” add convenience, but this is always at the cost of security.