
Googleusercontent.com fun - homakov
http://homakov.blogspot.com.es/2013/07/googleusercontentcom-fun-or-snowden-is.html
======
pearjuice
Homakov, I like your posts, audits and the like but I really suggest you ask
someone to review them before publishing because for the life of me I cannot
comprehend what you are writing most of the time.

~~~
glebm
It's simple really if you understand what's going on. iframe code can access
`frames[0].document` cross domain. Clicking on the link within Google
Translate iframe modifies target page on another domain. curl
[http://homakov.github.io/guc.html](http://homakov.github.io/guc.html)

~~~
nbpoole
If that were true it would be a major security vulnerability. ;-)

The Google Translate content is served up from a subdomain of
googleusercontent.com. This is a domain designated by Google for user-supplied
content so that it can be rendered without affecting the safety of pages on
google.com and elsewhere.

The demonstration here is that one page on googleusercontent.com can affect
another page on googleusercontent.com. This is perfectly acceptable via the
same origin policy.

~~~
homakov
I think glebm implies the same: "iframe code can access `frames[0].document`
cross domain" means through translate.google.com and "modifies target page on
another domain" modifies page with same domain but _rendered_ on another
domain

------
jkldotio
Why does Google add visitor regional information to the domains on blogspot,
in this case .com.es for no apparent reason?

It's intensely annoying to crawl political blogs for Australia, UK, New
Zealand and US from my server in Germany and then have all the urls with .de
when they go into my news site. As a problem the solution is trivial I
suppose, but why do they do it in the first place?

~~~
adrinavarro
Censorship, they already explained. They can do country-specific censorship
(like: in China, the govt asks for something offensive there to be removed)
but leave it accessible from everywhere else. Also, they can inform people in
those countries that they can not access that specific content.

Of course, that means that with a little bit of fiddling (change the domain
name end, I think) you can read a censored post if you're in a problematic
country. It's quite a good idea, actually.

------
mattmanser
Attack doesn't seem to actually work. Unless I'm missing something? Tried it
in incog mode too, nothing, js doesn't run.

Looking in the console it says:

 _Blocked opening
'[http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=ht...](http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fkremlin.ru%2F')
in a new window because the request was made in a sandboxed frame whose
'allow-popups' permission is not set. _

So the attack doesn't seem to work in Chrome.

NB: Just tested on FF, works on that.

Also homakov, I had to edit the iframe width/height just to be able to see the
link in the first place because google's putting all the login stuff at the
top, I'd suggest setting the height to 300px instead of 30px. Are you running
something which stops that showing in your browser?

~~~
homakov
Login stuff? When I/my friends run it in incognito there is nothing but that
link. There is some weird token in URL, but it seems to be valid for everyone.

I made it 30px to hide "tooltips" on hover

~~~
mattmanser
It's showing the top black bar with +You and all the other google links at the
top, the stuff that's usually shown if you go to google not logged in.

This is what I'm seeing:

[http://i.imgur.com/sau9mXU.png](http://i.imgur.com/sau9mXU.png)

~~~
rullgrus
Exactly the same for me. I'm using Firefox and I'm not signed in to Google+.
Visiting the given URL in another tab works, but I have to click to disable
the "Translated in Safe Mode"-feature first.

~~~
homakov
Safe mode disallows scripts. It should be disabled. Not sure about google
plus, it works for me in incognito.

------
tshadwell
What is happening? You've loaded something in an iframe, that I can see, but
there is a passing reference to XSS and cookie tossing that isn't elaborated
upon, which for me would be what I really want explained.

~~~
homakov
There is no XSS here, and no cookie tossing.

Google opens translated pages under translate.googleusercontent.com. Link is
located on GUC Page 1 (now, perhaps, you can see iframe, but it's trivial to
add some CSS to make it look more seamless). It opens with window.open this
URL:
[http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=ht...](http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=http%3A%2F%2Fkremlin.ru%2F)

Now GUC Page 1 changes content of GUC Page 2 (translated page of kremlin.com).
Using some DOM and frame tricks I ranted a bit about in the post.

~~~
tshadwell
I understand now, the articles you previously wrote are very interesting, I
really appreciate your writing this.

------
ororlrlrlylyly
Wait a second, could you not read my google login session cookie from this
page with a seamless iframe to a google domain? Again, like the person above,
I didn't really understand what's going on here.

~~~
homakov
no cookie/XSS or any real vuln here involved. This is completely standard
design problem of sandbox domain. Check out
[http://homakov.github.io/guc.html](http://homakov.github.io/guc.html)

~~~
ororlrlrlylyly
Oh, btw, also, you may be interested in window.setTimeout.

~~~
homakov
i am js jedi, but don't spend much time on PoCs.

------
D9u
Very interesting!

URL manipulation also resulted in more goodies.

[http://homakov.github.io/](http://homakov.github.io/)

------
homakov
working PoC now!
[http://homakov.blogspot.com.es/2013/07/googleusercontentcom-...](http://homakov.blogspot.com.es/2013/07/googleusercontentcom-
fun-or-snowden-is.html)

------
pagekicker
What is the point of this link? Why encourage HN users to click on it?

~~~
homakov
It's like "Amigo, there is something breaking on that official website! But
it's in russian so here is the link to google translate".

Literally, it makes any google translate page untrustworthy.

~~~
ororlrlrlylyly
Although... Does this not require one to click on a link in a framed google
translate page before displaying its payload? In other words, it doesn't seem
like one could simply submit a URL to HN that, when clicked, displays some
inauthentic news headline on your screen with a GUC.com address in the
location bar. Is that not correct?

~~~
homakov
It can work w/o a click. Two caveats:

1) chrome blocks straightforward window.open if no click happened

2) user doesn't really expect automatic popup. So it's not how phishing should
behave

3) yes, it CAN work similarly on HN, in case you are Paul Graham (if you can
change HTML on front page)

------
ororlrlrlylyly
Anyway, I forgot to say... Nice fun hack! good job.

