Clickjacking in Google Docs and Voice typing feature.

What is Clickjacking?

Unknowingly performing some sensitive actions on a webpage embedded(mostly in iframes) in any webpage with different or same domain/subdomain.

Google Docs page response doesn’t have x-frame-options headers i.e; it can be embedded into any other webpage.

There is a feature called voice typing in google docs where the user can speak and type in google docs.

Tools → VoiceTyping → Click to speak

I have created a public google doc and embed it in an iframe into my webpage with allow microphone.

<iframe src=”https://docs.google.com/document/d/1VIhSkvFKar2bwHjORiI3GPT2wYWZ10P7QP42FpLrxY0/edit" allow=”microphone *”></iframe>

An attacker can then share the webpage with the victim and can record private conversations of the victim (with the help of few clicks).

Bounty: 2337$