Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

When asking for help on most Google products, it is possible to send a screenshot of the issue. When implemented, this was done by using an iFrame to handle this information then sending the data via a postMessage request.

At first, the author tried getting XSS on the domain but after numerous hours of trying failed. So, they tried playing with the postMessage configuration and see what was going on.

It turns out, that if a page is iFramed, we can change the iFrames location. If the page can be iFramed, this really messes up the iFrame security of a page.

So, the attack has a few steps:

1. Load the page in an iFrame (Google Docs does not have iFrame protections).
2. Edit the location of the Google Doc to be your page.
3. Send the help message.
4. Your screenshot can be hijacked!

Why does the changing of the location of the domain actually help? When sending a postMessage, a reference to the parent window where the request is being made is sent. When doing this, it is important to specify the domain to send this to. However, the page does NOT set this and just has a wildcard ('*').

Now, with the changed location of the iFrame, we can hijack all of the data being sent in the screenshot!

What allowed this to happen? First, the page itself could be iFramed. Using headers to prevent this could have prevented the attack. Secondly, the postMessage was not sending to a particular domain -- windowRef.postmessage("","*");. Both could have prevented this. Awesome find!