Clickjacking in Google Docs and Voice typing feature.
What is Clickjacking?
Unknowingly performing some sensitive actions on a webpage embedded(mostly in iframes) in any webpage with different or same domain/subdomain.
Google Docs page response doesn’t have x-frame-options headers i.e; it can be embedded into any other webpage.
There is a feature called voice typing in google docs where the user can speak and type in google docs.
Tools → VoiceTyping → Click to speak
I have created a public google doc and embed it in an iframe into my webpage with allow microphone.
<iframe src=”https://docs.google.com/document/d/1VIhSkvFKar2bwHjORiI3GPT2wYWZ10P7QP42FpLrxY0/edit" allow=”microphone *”></iframe>
An attacker can then share the webpage with the victim and can record private conversations of the victim (with the help of few clicks).
Bounty: 2337$