Google has mentioned a flaw that has taken place recently in its feedback tool, and Google affirmed that there is a critical bug that is continuously compromising all the sensitive files of users.
The Google feedback tool is a part of various services, and it could be exploited by threat actors to capture screenshots of all sensitive Google Docs documents by inserting them in an ill-disposed website.
Rather than that, Google has a feature named “Send Feedback” in all of its products. This tool feature helps Google to get Feedback from every user when they face any issue. Moreover, this feature also provides a choice to add screenshots with a brief summary of the issue that the user is facing.
This feedback feature is disposed in Google’s main domain (“www.google.com”), and it is combined into other domains by adding an iframe element that fills the pop-up’s content from “feedback.googleusercontent.com” through PostMessage.
According to the report, If any users want to submit Feedback using Google docs, they can navigate to Help–> Send Feedback. After doing the steps, the user will notice that an Iframe is popping up and magically capturing the screenshot of the document that they were working on.
But, in the beginning, the iframe is quite complicated as compared to the Google docs. Still, there might be some way to cross the origin communication so that the users can successfully administer the screenshot.
Hunting for Bugs
Once the users get familiar with this function, they find an XSS in the sandbox domain feedback.googleusercontent.com. But, the users can use the XSS and hijack those RGB values of pixels; after that, they can render the image and capture the screenshot.
One of the users named Sreeram tried to find out the XSS in that as it was a sandbox domain, but he failed to find out the XSS. After a week, he noticed a video by “filedescriptor” in his Twitter feed.
Watching the video helped him to know the trick, that is, you can adjust the location of an iframe that is being presented in the cross-origin domain. This can be done by any threat actor and can easily hijack the screenshot of all sensitive files of the users.