Using Google’s trust to exploit users and spread malware
About 2 weeks ago I happened to find this issue within one of google’s web applications which allows a user to run malicious scripts in the background by linking a google domain link (i.e. http://www.google.com/…) to an unsuspecting user. The problem here lies in the Google Images feature from google.
Note: This vulnerability has not been patched (as of 8/11/10).
However, I have informed Google about it. Their reply is as follows:
“While it’s possible this could be used to trick some users into visiting a site they wouldn’t ordinarily click, it would be impossible to provide a useful service without doing this.”
This article will be broken down into 4 sections:
I. How the vulnerability works
II. Vulnerability PoC Video
III. Impact of the vulnerability
IV. Possible solutions
I. How the vulnerability works?
- When clicking to preview an image using the Google Images application, the user is brought to a domain http://www.google.com/imglanding?q=…. with all the variables to point the user to the image referenced.
- Upon clicking, the image is loaded in the foreground while an <iframe> is loaded in the background with the domain of the picture. (Note: The top page is still google)
II. Vulnerability PoC Video
The video below shows an example of a malicious link presented to the user. In the event that the user clicks on the link, he will be brought to the google site, and the malicious code will load from the domain of the image without any user consent or intervention. The video shows the malicious script redirecting the user to another website where he is prompted to download a malicious file.
III. Impact of the Vulnerability
As long as Google crawls the page for the image, the attack will be possible. This vulnerability can lead to a one-click infection of a user’s web browser through a trusted google domain link. This may result in the breach of trust of a link from a google domain. Besides providing the ‘malicious’ google domain links, it may also possible to use Search Engine Optimization (SEO) attacks to spread malware through this vulnerability.
IV. Possible Solutions
I have thought of several possible solutions to counter this issue. Some of which are:
- A safe website parser/loader on the server end to allow showing of the website to the user, but not processing redirect or other potentially malicious script functions and data.
- A warning message can be put to the user before he is redirected, or loads the site. The warning could appear when the user clicks close on the picture (which will bring him to the original site that was loaded in the background. For example, Facebook has a feature for its redirect page, http://www.facebook.com/l.php?… where it warns the user before loading the page.
Do feel free to share and discuss your opinions and suggestions.