Google Books X-Hacking

terjanq
Mar 21 · 4 min read
Proof of Concept in action

Vulnerabilities

Attack scenario

A regular user of Google Books visits a malicious website. Upon any interaction, a new window is being opened in the background, where the webpage, by manipulating the cross-origin location property, can easily exploit previously mentioned vulnerabilities and hence exfiltrate user’s sensitive data.

Attack implementation and improvements

Important update from Google

As a result, vulnerability reports in this area are likely to be duplicates unless they significantly change our understanding of our defenses and mitigations. We will be posting in this page the web applications and endpoints that we believe are properly protected against XS-Search, and we will be issuing Vulnerability Research Grants to audit the effectiveness of our defenses, but until then, we don’t recommend bug hunters to spend a lot of time on this (as to avoid duplication of effort). [1]

Timeline


InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring

terjanq

Written by

terjanq

Security enthusiast that loves playing CTFs and hunting for bugs in the wild. Also likes to do some chess once in a while. twitter.com/terjanq

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring