Google has patched a bug in its feedback tool incorporated across its services that could be exploited by an attacker to potentially steal screenshots of sensitive Google Docs documents simply by embedding them in a malicious website.
The flaw was discovered on July 9 by security researcher Sreeram KL, for which he was awarded $3133.70 as part of Google’s Vulnerability Reward Program.
Many of Google’s products, including Google Docs, come with a “Send feedback” or “Help Docs improve” option that allows users to send feedback along with an option to include a screenshot — something that’s automatically loaded to highlight specific issues.
But instead of having to duplicate the same functionality across its services, the feedback feature is deployed in Google’s main website (“www.google.com”) and integrated to other domains via an iframe element that loads the pop-up’s content from “feedback.googleusercontent.com.”
This also means that whenever a screenshot of the Google Docs window is included, rendering the image necessitates the transmission of RGB values of every pixel to the parent domain (www.google.com), which then redirects those RGB values to the feedback’s domain,…
http://feedproxy.google.com/~r/TheHackersNews/~3/ylQFbw3Mb9o/a-google-docs-bug-could-have-allowed.html