Vulnerability in Google spreadsheets allows cookie stealing

April 14, 2008 – 6:09 AM

Security researcher Billy Rios has discovered a vulnerability in Google Spreadsheets which attackers can exploit using links to crafted tables to steal a user’s cookie. According to Rios, the victim has to follow such a link in Internet Explorer. The stolen cookie can be used to access all Google services with the victim’s identity, including reading the victim’s Google Mail.

Rios explains on his blog that the security vulnerability results from incorrect content-type headers or the browser ignoring these headers in HTTP responses returned by the server. The problem is not confined to Internet Explorer: according to Rios, Firefox, Safari and Opera can also ignore the content-type header and attempt to determine the server response content type themselves.

Rios has succeeded in exploiting the vulnerability by injecting HTML content into the server response. To do so he generated a table, the first cell of which contained HTML code and a snippet of JavaScript for displaying the user’s cookie. Google spreadsheets can export data in the text-based csv format, which Internet Explorer interprets as HTML.

“With this single XSS, I can read your Gmail, backdoor your source code (code.google.com), steal all your Google Docs, and basically do whatever I want on Google as if I were you!” notes Rios. Google has now fixed the vulnerability and the browser now renders such crafted table content as text rather than HTML.

Source: Heise Security

You must be logged in to post a comment.