Google furnishes a “Send Feedback” option for Google Docs, Google Sheets, and many others. As the name of the option justifies itself, this feature is integrated to help Google to get feedback or report bugs and broken links or any issue encountered by the users.
When you click on the option the popup window would appear, asking you to describe your problem and it will automatically take the screenshot for better resolution purposes; once you click on the send button it will upload the data to Google for further process.
But, if you know that the feature Google has provided for your help is stealing your data!
Yes, this is true, there is a bug in Google “Send Feedback” button across its services that permits the hacker to steal your data in the form of screenshots.
On July 9th, 2020 the researcher Sreeram KL discovered this bug and he was awarded $3133.70 around 2 Lakhs Indian Rupees as Google’s Vulnerability Reward Program.
To know about this bug in detail read the upcoming section.
Working of Google Seed Feedback Bug!
If you are using Google Docs and you found any bug or issue then you submit feedback to Google.
You have to go to the Help Menu then >> Send Feedback.
Then a window will pop up on your screen and automatically loaded the screenshot of your work screen. The entire workflow is that Google docs send the RGB value of every pixel to the mainframe via postmessage. Then it redirects these RBG values to its iframe i.e…
feedback.googleusercontent.com which stores the image and sent back its base64 encoded data to the main Iframe.
How the Hacker Use this Bug?
Now the hacker manipulates with this process they replace those iframes in feedback feature with their domain and this change will send the postmessage data directly to the hacker.
To know the entire process please watch the video attached below!
Unfortunately, this method doesn’t work so they change the X-Frame header of the parent domain and we know that Google docs didn’t have any X-Frame header then they prepare an exploit and put it together to execute this task.
Now this will work after 6 seconds out and they also change the location of the iframe to 100ms even it is not present in it.
This entire breakthrough is possible because they discovered that they can change the location of iframe with an X-Frame header. This attack requires user interaction which means that users have to click on the “Send Feedback” button to trigger it then the exploit will capture the URL screenshot and send it to the hackers’ domain.
This is how the entire bug is used to penetrate user data from Google docs and other Google services.
