Bug bounty hunters reveal eight vulnerabilities in Google services

The two security researchers explained how they found so many bugs in such a short space of time

Security researchers unveiled eight vulnerabilities in Google services during the Hack in the Box conference in Amsterdam on Thursday -- but they claim to have discovered more than 100 such bugs over the past few months.

The bugs they revealed were found in Google's blog platform Blogger, its Analytics service and in Google Calendar, amongst other services.

The two most interesting once are the bugs found in Calendar and Analytics, said Itzhak Avraham, security researcher and founder of the Tel Aviv-based security firm Zimperium.

Cross-site-scripting (XSS) vulnerabilities are the most common bugs found in Google's services, Avraham and his fellow security researcher Nir Goldshlager said during their Hack in the Box presentation. XSS attacks -- allowing the execution of malicious code from one website or file as if it belonged to another -- are not just about stealing account data, but can also be used for hacking a victim's computer, they said. "Hacking your Gmail is not as interesting as hacking your computer," Avraham added.

"The Calendar bug is one of my favorites because you get the user to execute the bug for you," Avraham said. The researchers found a way to get a Calender user to trigger a XSS attack by using the application's sharing option. This was done by sharing the attackers' own calendar items with the victim more than five times, effectively spamming the user and encouraging him to delete the unwanted shared calendar items. After the user deleted five shared items an error message would pop-up saying the selected calendar item would not load, after which a stored XSS-attack would be triggered, allowing the attackers to hack into the victim's computer.

Avraham also highlighted the Analytics bug. According to him it is easy to see which sites use Analytics because the service's code can be spotted in the source of a Web page. Analytics allowed attackers to send an XSS link to an administrator of a targeted Website by sending a URL. They were able to do that because In-Page Analytics, a feature that allows users to view data superimposed on their website within Analytics, accepts incoming requests.

The researchers found two ways to exploit the vulnerability. One of them involved the attacker sharing his own In-Page Analytics profile with the victim. The victim then would receive a message that an Analytics profile was shared with him, enticing him to check who shared it, causing the attacker's XSS infected Web site to load into the In-Page viewer, executing the attack, allowing the attackers to hack the victims computer.

Avraham and Goldshlager called themselves bug hunters, hackers that actively look for bugs in software from vendors that pay a bounty for reports of vulnerabilities. Companies including Google, Facebook and Mozilla typically pay between $500 and $3,000 for bugs discovered in their software, the researchers said. According to them, the best way to find bugs in big services like that is keeping track of what the companies do, for instance by tracking acquisitions. Newly added services are not always as well protected, Avraham said.

The researchers also presented bugs they found in Google's Feedburner, Knol, FriendConnect and Picnik services, and in the Google Affiliate Network.

The bug they found in photo editing service Picnik involved an old version of the open source email application phpList, which is riddled with security holes, they said. Besides that, Google used the default user name and password for that application, they added.

"That was a very big mistake," Goldshlager said, adding that when they revealed the bug to Google the person responsible for using phpList was fired, because this vulnerability could have led to a full server compromise. The bug bounty hunters received $3,133.70 for the discovery of the leak.

All bugs reported to Google that they mentioned during Hack in the Box had been fixed before the presentation, the researchers said.

Loek covers all things tech for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?