« Why Your Static Analysis Scanner Should Use String Analysis | Main | Babylon Cross-Application Scripting »

March 22, 2010

Cross-Site Scripting through Flash in Gmail Based Services

Background

I recently discovered a cross-site scripting through Flash issue in Gmail. Not only did it expose Gmail users to full account hijacking, but it also exposed corporate users that rely on Gmail through the Google Apps initiative.

Technical Details

Gmail uses a Flash movie, named uploaderapi2.swf, for file upload operations. A short investigation revealed that it used two user-input parameters (‘apiInit’ and ‘apiId’) as parameters to ExternalInterface.call(), a class that is used for interaction between Actionscript and the flash player container (a hosting HTML page in the case of browsers).

var flashParams:* = LoaderInfo(this.root.loaderInfo).parameters;
API_ID = "apiId" in flashParams ? (String(flashParams.apiId)) : ("");
API_INIT = "apiInit" in flashParams ? (String(flashParams.apiInit)) :                    
                     ("onUploaderApiReady");
.
..
...
if (ExternalInterface.available) {
          ExternalInterface.call(API_INIT, API_ID);
}

A snippet from uploaderapi2.swf

The code above is vulnerable to a script injection attack: setting apiInit to eval and apiId to arbitrary JavaScript code, results in the execution of the JavaScript in the context of mail.google.com (the Gmail domain). Hence, by luring victims to load a malevolently crafted link, attackers could execute malicious JavaScript in the context of active Gmail sessions and fully impersonate their victims (manipulate and steal sensitive information from their accounts). Like other script injection attacks, a real-world attack could be refined by using techniques such as loading the malicious link in a hidden IFrame.

As can be seen in the screenshot below, before Google patched the aforementioned flaw, loading the following link popped-up an alert message with the cookies that are associated with Gmail’s domain:
https://mail.google.com/mail/uploader/uploaderapi2.swf?apiInit=eval&apiId=alert(document.cookie).

Gmail Script InjectionGmail script injection screenshot

Transparent Attack

As presented in Stefano Di Paola’s famous presentation, one of the interesting characteristics of Flash attacks is the ability to mount transparent attacks in browsers such as Firefox and Google Chrome. Due to the fact that Flash is executed in the client-side, the malicious payload (in this case, the values of apiInit and apiId) can be hidden from the server by adding the ‘#’ sign before the query part of the URL: https://mail.google.com/mail/uploader/uploaderapi2.swf#?apiInit=eval&apiId=alert(document.cookie).

That way, the attacked browser sends a parameter-less request for https://mail.google.com/mail/uploader/uploaderapi2.swf (uploaderapi2.swf is loaded by Gmail with no parameters by default) – this request is therefore regarded by the server as standard and not alarming in any way. However, a successful exploitation is possible since the Flash player refers to the whole URL, including the attack payload, which comes after the ‘#’ sign.

Remediation

The first parameter that is passed to ExternalInterface.call() determines the JavaScript function name to be executed. This parameter (API_INIT) has been updated to contain a hardcoded value (‘onUploaderApiReady’) and does not rely on external user-input any more.

Acknowledgments

I would like to thank the Google security team for their quick responses and the efficient way in which they handled this security issue.

Posted by on March 22, 2010 in Research, Web Application Security |

| |

Comments

Nils Hitze

Doesn't works with my Chrome but i will forward it to someone at Google that can maybe forward this to the Gmail Team. Thanks for finding it.

Posted by: Nils Hitze | March 23, 2010 at 05:40 PM

Yair Amit

Hello Nils,
In order to refrain from putting Gmail users under risk, this issue has been responsibly disclosed to Google. Therefore, this write-up was published only after the aforementioned security hole was fixed.

Posted by: Yair Amit | March 23, 2010 at 06:32 PM

5up3rh3i@gmail.com

hi YairAmit

nice work!

this hole was fied now,can share the old version of
'uploaderapi2.swf' to me?

thank u

my gmail:5up3rh3i@gmail.com

Posted by: 5up3rh3i@gmail.com | March 24, 2010 at 09:26 AM

cosine

it is a nice case.
my gtalk:evilcos#gmail.com

can u share the unfixed .swf file to me? thx:)

Posted by: cosine | March 24, 2010 at 09:46 AM

BigMc

Hi Yair Amit,

It's amazing ! I wonder how many mail, or other, Services has a similar problem...

Good luck,
BigMc.

Posted by: BigMc | March 24, 2010 at 12:11 PM

Stefano

Hi Yair,
very nice finding and writeup!
It seems that this category of bugs is going to be more and more discovered.

Thanks for the reference, too! :)

Stefano

Posted by: Stefano | March 25, 2010 at 09:00 AM

Yair Amit

@All, thanks for the feedback! :)

@Stefano, I agree that discoveries of this category of bugs will become more common, as the awareness to them rises.
However, after taking a look at some of the security changes that were applied by Adobe in ActionScript 3 (such as blocking the ability to implicitly use global parameters, a common programming error in AS2), it seems that they are in the right direction. :)

Posted by: Yair Amit | March 29, 2010 at 11:10 AM

The comments to this entry are closed.

Follow us on Twitter

IBM Application Security Insider
IBM Application Security Insider

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Search

Recent Posts

Archives

Categories

Pages

Become a Fan