Google has patched a clickjacking vulnerability that a researcher says would enable an attacker to retrieve or delete email conversations, manipulate YouTube and Google Plus accounts, and more.
A Google representative said in an email to Threatpost that the bug affected developers who had authorized Google API Explorer to take certain actions. According to Google, API Explorer allows developers to interact with Google APIs, including seeing what methods are available, what parameters they support, make authenticated API calls, and execute requests for any method in real time.
Google did pay out a $1,337 bounty on April 21 to researcher Paulos Yibelo, nine days after his initial report.
Clickjacking, which is also referred to as a UI redress attack, happens when an attacker tricks a user into clicking something on a webpage and executing an attack. Google said the breadth of this issue is fairly narrow, but Yibelo said the risk is high and all of Google’s products are affected, including Gmail, calendars, Google Play, YouTube, AdSense and more.
“The victim only needs to click a single button to perform action, but building a page might not be as simple and requires some CSS knowledge,” Yibelo said as to the ease of exploit. “The idea behind the exploit is to frame the page where that button was, and make the frame transparent.”
Yibelo said the attacker could create a button that tricks the victim into thinking they’re registering for a free gift or reward, but in reality are instead clicking an execute button hidden behind the iFrame.
Several conditions have to be in play for the attack to be successful. For example, the victim has to have authorized Google’s API, say via a YouTube or Blogger log-in. They would have to be enticed to visit the hacker’s site hosting the clickjacking exploit, and from there the attacker could manipulate a user’s YouTube account, delete their blog, add posts or comments, read and delete email conversations, or interact with their Google Plus account.
“UI Redressing/ClickJacking is a much underestimated attack,” Yibelos wrote in his report. “Although mitigation from it is quite easy, we still see applications falling for it. I hope this bug shows how a single click could compromise the integrity of your Google account, and a single X-Frame-Options could have saved the day.”
Clickjacking has a constant presence on the OWASP Top 10 list of common web application security vulnerabilities. The organization says there are two ways to prevent clickjacking: sending a X-Frame-Options HTTP response header that forces the browser to reject iFrames from other domains; or writing code in the UI that allows only the most top level window to be the current frame.