A year after a Google executive announced the company was investigating the security vulnerabilities in Google Docs, a security researcher has discovered that Google did it first.
The Google security researcher, Thomas Green, posted a blog post today detailing how the company “discovered a major vulnerability in Docs” in March 2017.
“We’re going to do the math, but the first place we checked was Google Doc, which was on the same day that we did the analysis,” Green said in a phone interview with Engadge.
“Docs was in the middle of a massive bug bounty hunt, which, at the time, was being handled by Microsoft, and they didn’t have the resources to get it done, so we took the next step and looked at Microsoft and got access to their entire bug bounty program.”
In the blog post, Green described how he and his colleague Matt Karp were able to quickly “identify” the vulnerability and how to exploit it.
“In our case, we had the entire bug list, and we could have taken advantage of it,” Green told Engadges.
“If we had used that list and started writing exploits, it would have been like we were hacking Google.
But instead we just wrote some code.”
The vulnerability is only exploitable by sending a specially crafted document to a Google Doc client.
In his blog post detailing the vulnerability, Green said he found an “invalid header” and an “unspecified message” that “was designed to make it easier for Google to exploit this bug.”
“We also found that the header was actually a Google bot, and it had an internal log file that contained the URL of the Google bot’s command and control server, which we were able then to get to,” Green explained.
“Once we got to that server, we saw the malicious file and we realized we had a legitimate Google bot in the process of running.
The file we found in the bot was a JSON file that looked like this: ‘The URL to the Google Bot server is https://bot.google.com.
The script was created in Python and could have been executed by anyone on the planet.”
Green said the “unnamed HTTP response” to the document was a maliciously crafted JSON payload that could be used to launch a remote shell.
“When the payload was sent to the bot, it could be seen by anyone, and Google’s security team would see the JSON response in the Google Doc server,” Green wrote.
“After the response was parsed, we were looking at a shellcode file, and the shellcode contained a malicious binary that we were hoping could be executed from a Google Chrome web browser.
The shellcode was executed from the Chrome browser by the Google Chrome Web Developer Tools, which is a Google-built extension that allows users to run scripts in the Chrome Web Store.”
Google has since issued an update that makes it more difficult for anyone to exploit the vulnerability.
“The Google Bug Bounty Program has been updated to include a more stringent security check that requires that all applications submitted to the program use the Google Developer Tools,” the company said in an email to Engadgets.
“Applications submitted without this additional check will not be accepted for the bounty.”
Google confirmed to Engads that “a significant number of applications submitted” for the bug bounty were submitted by the same people who were involved in creating the exploit.
“This was a serious security vulnerability and the bug was exploited by the attacker,” the security researcher wrote.
In an interview with Ars Technica, Green told the publication that he was shocked that Google had allowed the bug to remain unpatched for so long.
“I didn’t think it was going to be patched until January, which means it could have gotten patched at any point after that,” Green noted.
“So I’m not sure what motivated Google to let it stay in there for such a long time.”