
XSS in Google Finance - moonlander
http://miki.it/blog/2013/7/30/xss-in-google-finance/
======
seldo
Does anyone else feel that XSS on google.com is probably worth a bit more to
the wrong people than $5k? Arbitrary-eval is pretty much the worst. Unless I'm
missing something, somebody could steal a user's cookie strings and post them
to an arbitrary endpoint, which could then use them to log into, e.g. GMail,
which an attacker could then use to trigger and retrieve password-reset links
for all sorts of other sites.

When I worked at Yahoo, an XSS on yahoo.com (which almost never happened) was
a code-red, drop-everything, holy-shit event. If I were at Google I'd probably
give this guy a bonus.

~~~
RKearney
In addition to the session ID cookies, you need the HSID cookie as well, which
is HttpOnly. While this type of bug is bad, it doesn't allow for a malicious
third party to get all of the cookies needed to take over the users session.

~~~
arkem
Also compartmentalization helps (Keeping products in different javascript
origins, e.g. mail.google.com, accounts.google.com, etc)

~~~
seldo
Yes, but Google Finance is on google.com/finance (for some reason; I'm sure it
used to be finance.google.com at some point...).

The importance of httpOnly had somehow escaped me until today :-)

~~~
PavlovsCat
_Yes, but Google Finance is on google.com /finance (for some reason; I'm sure
it used to be finance.google.com at some point...)._

Cookies set for just subdomain.hostname.com can only be "seen by" that
particular subdomain, while cookies set for hostname.com can be seen from
hostname.com and any and all subdomains. I think that's why they do it
constantly, at least stuff like www.google.com/glass certainly makes no sense
otherwise. Why not make a fancy new domain for that? I think it's cookie
greed.

~~~
toast0
cookie greed doesn't explain it, because they don't issue any cookies for
www.google.com, or at least, I don't have any; they do issue cookies for
.google.com, which www and finance can access equally. It's either a branding
thing, or a they paid for the fancy load balancer so they're going to use it
thing.

~~~
PavlovsCat
That's a good point, I stand corrected. Of course, if you wanted to be
"minimal" about cookies, you'd _have_ to use a subdomain, but using one
doesn't mean anything by itself.

------
sneak
I wonder if emailing them and asking for e.g. a 25k reward before disclosure
exposes one to criminal liability or not.

I mean, is there a law making it illegal to sell exploits to the black market?
These bug bounty programs must know they compete with a large market for these
sorts of things.

~~~
pestaa
IANAL, but action with malicious intent is pretty much enough to get you
behind bars.

~~~
sneak
Not always. For example, speaking truthful factual statements with malicious
intent to harm someone's business by damaging their reputation is totally
legal, provided you're not defrauding or blackmailing anyone or otherwise
acting sketchy.

There're a lot of actions based on malicious intent that are (and should
remain) legal.

------
skizm
Slightly off topic, but if a bug like this is discovered does the engineer who
wrote it get notified?

It would be funny to have a sort of wall of shame for that week or something
else internally. Or you could even go as far as making that engineer pay for
the bug bounty (that's a bit much though). Anyone have any experience as to
what happens on Google's end besides the obviously patching of the bug and
paying of the fine?

~~~
Afforess
A wall of shame sounds amusing at first blush, but it would quickly become a
source of a lot of negativity and unhappiness. Yes, developers need to be
aware of bugs, and learn from mistakes, but intentional harassment seems a
step too far. I know I've written thousands of bugs.

~~~
ketralnis
A friend that used to work at Apple once told me a story of their department
having a big banner over the desk of the last person to broke the build.
Eventually a frustrated recipient of the banner solved the problems causing it
to be brittle in the first place, and as a result had the banner himself for
months. A rather unexpected disincentive to solve the problem

------
gaborcselle
Where in the code is the eval() is performed? There is not a single call to
eval() in that source.

Maybe a listing of the Wi() function would be useful.

------
eli
Nice one. Curious how it was discovered. Manually toying with URL parameters
on google.com links?

~~~
DouweM
I'm not familiar with Google Finance, but the author states "This part of the
code is responsible for querying an external domain for a newsfeed to be
displayed on the plot as an overlay.". I'm guessing they just happened to come
across a Google Finance URL using the &ntrssurl= parameter and figured that
would be worth digging into.

~~~
Ecio78
He says also in the comments: "Manual testing, the ntrssurl parameter was
present in an example in the documentation for adding custom news feeds to the
plot :) ."

------
h1fra
5k is not so much for this kind of huge vulnerability.

I mean with a "great" hack this guy could have made much more in a few hour,
but let say it's a generous reward anyway :)

------
jayzalowitz
Wasn't this one around for ages?

