Hacker News new | past | comments | ask | show | jobs | submit login
Googleusercontent.com fun (homakov.blogspot.com.es)
64 points by homakov on July 27, 2013 | hide | past | favorite | 39 comments

Homakov, I like your posts, audits and the like but I really suggest you ask someone to review them before publishing because for the life of me I cannot comprehend what you are writing most of the time.

That's definitely what I'm working on. If you wanna make your eyes bleed check out my old posts ;)

Any corrections are welcome at homakov@gmail.com.

I think his posts are just fine considering that English isn't his first language and his relative lack of years in English-speaking countries.

It's simple really if you understand what's going on. iframe code can access `frames[0].document` cross domain. Clicking on the link within Google Translate iframe modifies target page on another domain. curl http://homakov.github.io/guc.html

If that were true it would be a major security vulnerability. ;-)

The Google Translate content is served up from a subdomain of googleusercontent.com. This is a domain designated by Google for user-supplied content so that it can be rendered without affecting the safety of pages on google.com and elsewhere.

The demonstration here is that one page on googleusercontent.com can affect another page on googleusercontent.com. This is perfectly acceptable via the same origin policy.

I think glebm implies the same: "iframe code can access `frames[0].document` cross domain" means through translate.google.com and "modifies target page on another domain" modifies page with same domain but rendered on another domain

Why does Google add visitor regional information to the domains on blogspot, in this case .com.es for no apparent reason?

It's intensely annoying to crawl political blogs for Australia, UK, New Zealand and US from my server in Germany and then have all the urls with .de when they go into my news site. As a problem the solution is trivial I suppose, but why do they do it in the first place?

Censorship, they already explained. They can do country-specific censorship (like: in China, the govt asks for something offensive there to be removed) but leave it accessible from everywhere else. Also, they can inform people in those countries that they can not access that specific content.

Of course, that means that with a little bit of fiddling (change the domain name end, I think) you can read a censored post if you're in a problematic country. It's quite a good idea, actually.

Attack doesn't seem to actually work. Unless I'm missing something? Tried it in incog mode too, nothing, js doesn't run.

Looking in the console it says:

Blocked opening 'http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=ht... in a new window because the request was made in a sandboxed frame whose 'allow-popups' permission is not set.

So the attack doesn't seem to work in Chrome.

NB: Just tested on FF, works on that.

Also homakov, I had to edit the iframe width/height just to be able to see the link in the first place because google's putting all the login stuff at the top, I'd suggest setting the height to 300px instead of 30px. Are you running something which stops that showing in your browser?

> the request was made in a sandboxed frame whose 'allow-popups' permission is not set

the GUC Page 1 (having a link inside) is not sandboxed and located on homakov.blogspot.com. Since it calls window.open on click chrome must not block opening a popup. I'm pretty sure you have specific/strict settings?

>So the attack doesn't seem to work in Chrome.

It worked for me, for my friends, and for people who +ed the item. Let's figure out what went wrong

Login stuff? When I/my friends run it in incognito there is nothing but that link. There is some weird token in URL, but it seems to be valid for everyone.

I made it 30px to hide "tooltips" on hover

It's showing the top black bar with +You and all the other google links at the top, the stuff that's usually shown if you go to google not logged in.

This is what I'm seeing:


Exactly the same for me. I'm using Firefox and I'm not signed in to Google+. Visiting the given URL in another tab works, but I have to click to disable the "Translated in Safe Mode"-feature first.

Safe mode disallows scripts. It should be disabled. Not sure about google plus, it works for me in incognito.

Yep, that's what I'm seeing too, and nothing much happens when you click on anything, on Chrome or FF.

What is happening? You've loaded something in an iframe, that I can see, but there is a passing reference to XSS and cookie tossing that isn't elaborated upon, which for me would be what I really want explained.

There is no XSS here, and no cookie tossing.

Google opens translated pages under translate.googleusercontent.com. Link is located on GUC Page 1 (now, perhaps, you can see iframe, but it's trivial to add some CSS to make it look more seamless). It opens with window.open this URL: http://translate.google.com/translate?hl=en&sl=ru&tl=en&u=ht...

Now GUC Page 1 changes content of GUC Page 2 (translated page of kremlin.com). Using some DOM and frame tricks I ranted a bit about in the post.

I understand now, the articles you previously wrote are very interesting, I really appreciate your writing this.


This is unrelated exception. Looks like problem guys described below (not logged in google). I can't reproduce, but it is not browser bug, just matter of having google account

Wait a second, could you not read my google login session cookie from this page with a seamless iframe to a google domain? Again, like the person above, I didn't really understand what's going on here.

no cookie/XSS or any real vuln here involved. This is completely standard design problem of sandbox domain. Check out http://homakov.github.io/guc.html

Oh, btw, also, you may be interested in window.setTimeout.

i am js jedi, but don't spend much time on PoCs.

Google uses a different domain for user content, namely googleusercontent.com.

What's the definition of "user content"?

Untrustworthy scripts, HTML, images, email attachments.

But I'm logged in! It shows myname in the corner. So obviously you could get that cookie, right?

Part with yourname is other_origin. I change content of GUC Page 2 using GUC Page 1 through other_origin (translate.google.com). No XSS or cookies. Just standards :D

I seriously admire your patience in replying to comments.

I have no life.

I was only referring to your continuing lengthy, polite comments when replying to commenters' questions. :)

:) it's pleasant to explain hacks you discover.

actually PoC is fixed - http://homakov.blogspot.com.es/2013/07/googleusercontentcom-...

Very interesting!

URL manipulation also resulted in more goodies.


What is the point of this link? Why encourage HN users to click on it?

It's like "Amigo, there is something breaking on that official website! But it's in russian so here is the link to google translate".

Literally, it makes any google translate page untrustworthy.

Although... Does this not require one to click on a link in a framed google translate page before displaying its payload? In other words, it doesn't seem like one could simply submit a URL to HN that, when clicked, displays some inauthentic news headline on your screen with a GUC.com address in the location bar. Is that not correct?

It can work w/o a click. Two caveats:

1) chrome blocks straightforward window.open if no click happened

2) user doesn't really expect automatic popup. So it's not how phishing should behave

3) yes, it CAN work similarly on HN, in case you are Paul Graham (if you can change HTML on front page)

Anyway, I forgot to say... Nice fun hack! good job.

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact