Massive XS-Search over multiple Google products

A couple of months back, I took a part in researching dangers that come from Cache Probing Attack and new ways to exploit the vulnerability across multiple platforms. I was able to prove that it was possible to leak significant information about the user on several Google products such as their private emails, tokens, credit card numbers, phone numbers, bookmarks, private notes and much more.

Leaking user’s emails — Proof of Concept

A brief summary of the attack

  1. On the malicious evilwebsite.com, the attacker removes a specific resource from the browser cache, e.g. “not found” image
  2. The malicious website forces the user to search in the background for a controlled by the attacker phrases, which for example can be done by using manipulation of window.opener
  3. The evilwebsite.com checks if the resource has been loaded by probing if the resource was loaded from the browser cache.

Protections

The report

In the original report, I included a proof of concept that worked at the time and probably is not working anymore, but given the issue was not yet fully fixed over other platforms and browsers, I decided to keep it private yet.

PoC in action

Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while. twitter.com/terjanq

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store