Monday, March 21, 2011

Google Feature or Bug ?

None's perfect, even google isn't ! Thanks to REz (CeSeNA group's guy) I found out this interesting feature (or bug ?).

Let's try it by yourself, this is the vulnerable link:

http://www.google.com/custom?hl=en&cof=L%3Ahttps://lh5.googleusercontent.com/-EvyPBS_l_xs/AAAAAAAAAAI/AAAAAAAAAAA/zPEV7I5plmE/photo.jpg?sz=200&q=http%3A%2F%2Fwww.marcoramilli.com%2F&btnG=Search

The cof variable seems to be not filtered. Even the best web company on the web can fall on common vulnerabilities.

Here TheHackerNews report.


UPDATE-1:
If you think like Anonymous:

"There's nothing weird about the "col" argument. It's there to let users add a logo to the search page, when they embed a site search on their own page. It's restricted to a specific Google domain, and there's no way to break out of the src attribute."

Please try by yourself before writing insulting comments.....

Here the link is:

http://www.google.com/custom?hl=en&cof=L%3Ahttp://profile.ak.fbcdn.net/hprofile-ak-snc4/41644_100001697891319_8196115_n.jpg&q=http%3A%2F%2Fwww.marcoramilli.com%2F&btnG=Search

As you can see: profile.ak.fbcdn.net is outside specific google domain.

Again, I have not changed (or personalized) the Google Logo. It's still there. BTW I am not saying that this is a huge Google Bug and that you can exploit or whatever... I am just saying that you can insert through "cof" and "L" something weird, at least to me... is this a feature ? Well, cool I'm fine. Please stop to be offensive hiding behind Anonymity.


UPDATE-2:
Many emails from forced me to change the title from Google XSS to Google Feature or Bug ?


20 comments:

TheSur said...

And where is the xss?, it looks like a feature to custom just with a image

Boris Fersing said...

I also think it's not a security flaw but a feature.

Most websites which have a "Search using Google" feature change the Google logo for the website logo.

Marco Ramilli said...

Well, the feature in the "col" variable called with a "L:" tag is not trivial at all, and I am not sure what is the meaning of that. I still did not try including anything else rather then an image. If you try with quick inclusion you might see that google does not filter " ' ","\","/", and so forth while it filters " " " and " ><". So the behavior is pretty weird. Probably it's not a huge problem but I think it would be nice to investigate further in this parameter (col) called with this particular tag "L:".

@Boris: I did not change any Google logo. If you see in the picture the Google logo still is where it should be.

Anonymous said...

That's not even close to being an XSS vulnerability.

Had it been an *actual* vulnerability, disclosing it like this would be lame. Be responsible, and don't spread sensationalist bullshit.

Anonymous said...

read "XSS for Dummies"

Marco Ramilli said...

@ both Anonymous: please read my previous comment.

Marco Ramilli said...

@ Anonimous: "There's nothing weird about the "col" argument. It's there to let users add a logo to the search page, when they embed a site search on their own page. It's restricted to a specific Google domain, and there's no way to break out of the src attribute."

http://www.google.com/custom?hl=en&cof=L%3Ahttp://profile.ak.fbcdn.net/hprofile-ak-snc4/41644_100001697891319_8196115_n.jpg&q=http%3A%2F%2Fwww.marcoramilli.com%2F&btnG=Search

As you can see: profile.ak.fbcdn.net is outside specific google domain. Again, I have not changed (or personalized) the Google Logo. It's still there.

Anonymous said...

So how ... exactly .. do you propose to exploit this? By linking an image so foul the poor target user breaks down and voluntarily emails you his password?

Marco Ramilli said...

@Anonymous:

1) " So how ... exactly .. do you propose to exploit this? By linking an image so foul the poor target user breaks down and voluntarily emails you his password?"

Yes, it might be a nice attack. A sweet "YOU WON" picture saying the user has to connect to X and drop there a special code for example. X will be malicious web-site.

2) Please read the updates

Sergis said...

that's not xss pal. That's you being confused.

Marco Ramilli said...

Of course my dear friend it is not an XSS. It was only an example to show you how your ironic comment ( "So how ... exactly .. do you propose to exploit this? By linking an image so foul the poor target user breaks down and voluntarily emails you his password?" ) was not ironic at all. My point was, and is on the strange way they filter the variable. If you get some tries, as I already said here ("If you try with quick inclusion you might see that google does not filter " ' ","\","/", and so forth while it filters " " " and " ><". So the behavior is pretty weird. Probably it's not a huge problem but I think it would be nice to investigate further in this parameter (col) called with this particular tag "L:".") you will probably get my point.

Please if you are interested on following this topic please contact me directly, for example skype could be a good way to reach me or email me. Thank you very much.

Technology and Information Security said...

While an XSS is not applicable. It is an excellent platform to launch XSRF using google.

While I have no tried this before. Maybe it is possible to get a XSS by leverage the MHTML bug.

Marco Ramilli said...

I do agree with your comment Technology and Information Security.

pgl said...

Hi,

You might already be aware of this, but the RSS feed on your site includes a single word, "marketing", linking to "hxxp://www.bidvertiser.com/bdv/BidVertiser/bdv_advertiser.dbm". Seems a bit fishy to me.

cheers,

- pgl

latest pc games said...

So how ... exactly .. do you propose to exploit this? By linking an image so foul the poor target user breaks down and voluntarily emails you his password?.usagamezone.blogspot.com

www.crearpaginaweb.com said...

It's all erroneous the thing you are saying.

webdesign said...

Good feature blog is presented with great information..That is very much useful and helpful.Thanks for this blog here.
best web design company

Alexis Bob said...

Although not a must, most good quality blogs are interactive, allowing visitors to leave comments and even message each other via GUI widgets on the blogs and it is this interactivity that distinguishes them from other static websites. In that sense, blogging can be seen as a form of social networking. Indeed, bloggers do not only produce content to post on their blogs but also build social relations with their readers and other bloggers.

Alexis Bob
web design company | web design halifax | website design halifax | web 2.0

ethical hacking workshops said...

Certified Ethical Hacker CEH training is held at TechBharat Consulting using official EC-Council curriculum. CEH certification certifies you as Ethical Hacker and Penetration Tester. CEH training is held on Version 7.
ethical hacking workshops

Web Design Company said...

Frequently visiting the great info is visible in this website that to using the great info is visible in this blog. Thanks a lot for providing the great info is visible in this blog that to sharing the great technology in this website.