A vulnerability was discovered in Google Docs that allowed malicious actors to steal screenshots of other people’s documents by embedding them into a malicious site
A vulnerability was discovered in Google Docs that allowed malicious actors to steal screenshots of other people’s documents by embedding them into a malicious site.
Security researcher Threeram KL discovered the exploit last July 9 and reported the vulnerability on December 27 in his blog.
“Google have a feature called “Send Feedback” in most of their product. As the name suggests it helps Google to get feedback from users when they face some issue. The feature have an options to add screenshots with a brief description about the issue,” said Threeram.
Threeram explained that screenshot feedbacks are a common feature available in most of Google sites which are integrated to other domains via an Iframe element that loads the pop-up’s content from “feedback.googleusercontent.com.”
The process reportedly allowed an attacker to modify the frame to an external website in order to steal Google Docs screenshots which were meant to be uploaded to Google’s servers.
Google has rewarded Threeram $3133.70 as part of their Vulnerability Reward Program and claimed that they have already patched the vulnerability.
© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.