EDGE 2015 is starting in

Find out more EDGE 2015
Menu
Bug bounty hunters reveal eight vulnerabilities in Google services

Bug bounty hunters reveal eight vulnerabilities in Google services

The two security researchers explained how they found so many bugs in such a short space of time

Security researchers unveiled eight vulnerabilities in Google services during the Hack in the Box conference in Amsterdam on Thursday -- but they claim to have discovered more than 100 such bugs over the past few months.

The bugs they revealed were found in Google's blog platform Blogger, its Analytics service and in Google Calendar, amongst other services.

The two most interesting once are the bugs found in Calendar and Analytics, said Itzhak Avraham, security researcher and founder of the Tel Aviv-based security firm Zimperium.

Cross-site-scripting (XSS) vulnerabilities are the most common bugs found in Google's services, Avraham and his fellow security researcher Nir Goldshlager said during their Hack in the Box presentation. XSS attacks -- allowing the execution of malicious code from one website or file as if it belonged to another -- are not just about stealing account data, but can also be used for hacking a victim's computer, they said. "Hacking your Gmail is not as interesting as hacking your computer," Avraham added.

"The Calendar bug is one of my favorites because you get the user to execute the bug for you," Avraham said. The researchers found a way to get a Calender user to trigger a XSS attack by using the application's sharing option. This was done by sharing the attackers' own calendar items with the victim more than five times, effectively spamming the user and encouraging him to delete the unwanted shared calendar items. After the user deleted five shared items an error message would pop-up saying the selected calendar item would not load, after which a stored XSS-attack would be triggered, allowing the attackers to hack into the victim's computer.

Avraham also highlighted the Analytics bug. According to him it is easy to see which sites use Analytics because the service's code can be spotted in the source of a Web page. Analytics allowed attackers to send an XSS link to an administrator of a targeted Website by sending a URL. They were able to do that because In-Page Analytics, a feature that allows users to view data superimposed on their website within Analytics, accepts incoming requests.

The researchers found two ways to exploit the vulnerability. One of them involved the attacker sharing his own In-Page Analytics profile with the victim. The victim then would receive a message that an Analytics profile was shared with him, enticing him to check who shared it, causing the attacker's XSS infected Web site to load into the In-Page viewer, executing the attack, allowing the attackers to hack the victims computer.

Avraham and Goldshlager called themselves bug hunters, hackers that actively look for bugs in software from vendors that pay a bounty for reports of vulnerabilities. Companies including Google, Facebook and Mozilla typically pay between $500 and $3,000 for bugs discovered in their software, the researchers said. According to them, the best way to find bugs in big services like that is keeping track of what the companies do, for instance by tracking acquisitions. Newly added services are not always as well protected, Avraham said.

The researchers also presented bugs they found in Google's Feedburner, Knol, FriendConnect and Picnik services, and in the Google Affiliate Network.

The bug they found in photo editing service Picnik involved an old version of the open source email application phpList, which is riddled with security holes, they said. Besides that, Google used the default user name and password for that application, they added.

"That was a very big mistake," Goldshlager said, adding that when they revealed the bug to Google the person responsible for using phpList was fired, because this vulnerability could have led to a full server compromise. The bug bounty hunters received $3,133.70 for the discovery of the leak.

All bugs reported to Google that they mentioned during Hack in the Box had been fixed before the presentation, the researchers said.

Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

EDGE 2015:: For all the latest on EDGE 2015 including the keynote speakers visit the EDGE mini-site now

2015 ARN ICT Industry Awards: Nominations for the 2015 ARN ICT Industry Awards close on June 26. NOMINATE NOW!!!

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Upcoming

Slideshows

In Pictures: Robots that cook, clean, sing and dance
Tech Hive

In Pictures: Robots that cook, clean, sing and dance

Cooking, learning language and doing the laundry are a few of the human skills demonstrated by.real humanoid bots featured in the National Geographic movie Robots.

In Pictures: Robots that cook, clean, sing and dance
IN PICTURES: OKI Data Australia partner event (+10 photos)
Business Products

IN PICTURES: OKI Data Australia partner event (+10 photos)

OKI recently hosted its ChannelOne dealer forum for its executive series channel partners to get together and learn about the company's new high-performance ES8400 A3 multifunction series printers. After a welcome and business overview from OKI Data Australia managing director, Dennie Kawahara, delegates were given a comprehensive overview of the new product, as well as an update on the latest marketing initiatives and software solutions, before being treated to live demos and a product showcase. Partners were also given a preview of OKI’s upcoming A3 digital LED white toner printer. With more than 60 delegates attending from all over the country, the day concluded with dinner at Casa Ristorante Italiano in Sydney and several delegates also participated in a friendly game of golf the following morning.

IN PICTURES: OKI Data Australia partner event (+10 photos)

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments