That's very impressive - how do you do this? I also see an IDE screen with the debugger in your other article about telegram - presumably also HTML/CSS
I just open Sublime Text (a basic text editor) and start typing away HTML/CSS until I've got something I like the look of. No fancy IDE features or anything, just typing out code into a file :).
I also use my browsers' DevTools for faster CSS iteration, and Paint.NET for concept art and comparing/measuring screenshots. Sometimes I even use Illustrator and/or Inkscape for some SVG stuff (which I manually edit in code afterwards) - in this blogpost I used Inkscape to recreate the cat emoji and the Chrome iframe error pixel art icon.
You have to trick someone into opening your presentation and clicking a specific button, that’s not something a random person knowing my email could easily do. It’s a problem but I wouldn’t exactly say it allows anyone to access anyone else’s private drive files.
My company IT sec person sent a presentation and asked everybody to follow a link inside the slide to go to the training website. So never underestimate a attack vector, also security is just a joke.
A random person knowing your email isn't totally random though. a normal person's email address is enough to track down some known associates. Spoof the email as coming from a business partner as the new deck for a side hustle, and the target has been phished. Multiply across every email leaked in recent mega leaks and it's a good thing it was patched!
He doesn’t want to click on the wrong thing while watching a video or browsing around outside and accidentally get click jacked. A little bit of JavaScript in an advertisement could cause this to happen. Without an active session cookie, none of your drive files can be jacked.
You cannot share your Root folder, I just threw it in there as a fun bit of unrelated trivia about Drive :). If you attempt to share it (you can try!) you'll just get an error.
I think comparing to other system vulnerability such as "if you make X library do Y thing(...10 more steps skipped), you can do RCE", this is fairly understandable for me, at least I know how it works, i guess this also means this exploit can be easily accessed?
Absolutely loved everything about this.
The attack, the explanation, the webpage, the writing.
It’s an easy 10.
Huge thanks for writing your whole thought process, including things that you tried and didn’t work.
I’m going to use this post as an example for how a great writeup should be done.
Would like to highlight that this webpage, interactive 'screenshots' and all, is 31kb
Ah I see, it makes sense now that they aren't screenshots, and are instead interactive HTML/CSS/JS(?) bits.
Was suspicious of how high quality the screenshots were in mobile, but didn't bother to click on them. Neat!
No JS on the page, only HTML/CSS :)
The checkbox trick for the clickable Review button is so cool! Loved the easter egg links to various videos too
That's very impressive - how do you do this? I also see an IDE screen with the debugger in your other article about telegram - presumably also HTML/CSS
I just open Sublime Text (a basic text editor) and start typing away HTML/CSS until I've got something I like the look of. No fancy IDE features or anything, just typing out code into a file :).
I also use my browsers' DevTools for faster CSS iteration, and Paint.NET for concept art and comparing/measuring screenshots. Sometimes I even use Illustrator and/or Inkscape for some SVG stuff (which I manually edit in code afterwards) - in this blogpost I used Inkscape to recreate the cat emoji and the Chrome iframe error pixel art icon.
Weird to see so little traction on this novel attack.
Honestly, considering this allows anyone to access anyone else's private drive files, I would have expected the payout to be much higher
You have to trick someone into opening your presentation and clicking a specific button, that’s not something a random person knowing my email could easily do. It’s a problem but I wouldn’t exactly say it allows anyone to access anyone else’s private drive files.
My company IT sec person sent a presentation and asked everybody to follow a link inside the slide to go to the training website. So never underestimate a attack vector, also security is just a joke.
A random person knowing your email isn't totally random though. a normal person's email address is enough to track down some known associates. Spoof the email as coming from a business partner as the new deck for a side hustle, and the target has been phished. Multiply across every email leaked in recent mega leaks and it's a good thing it was patched!
One click is all it takes. That’s the lowest on the totem pole of social engineering.
It is the sort of direct targeted attack one might expect a motivated adversary to undertake.
And perhaps those who are cultivating botnets or other widespread attacks.
One major reason I either only watch Youtube on no account or dedicated Youtube Google account.
This specific security vulnerability was the main reason you watched Youtube on a dedicated account?
I'm not sure how that'd save you here unless you go out of your way to block the youtube domain entirely.
He doesn’t want to click on the wrong thing while watching a video or browsing around outside and accidentally get click jacked. A little bit of JavaScript in an advertisement could cause this to happen. Without an active session cookie, none of your drive files can be jacked.
This was so good. Never thought things so trivial can be made into such attacks.
How can you tell if your root folder has been shared this way? Doesn't look like the root folder's sharing settings are accessible via the normal UI.
You cannot share your Root folder, I just threw it in there as a fun bit of unrelated trivia about Drive :). If you attempt to share it (you can try!) you'll just get an error.
Incredible research
This was impressive beyond what I can ingest before a full pot of coffee.
Bravo
I think comparing to other system vulnerability such as "if you make X library do Y thing(...10 more steps skipped), you can do RCE", this is fairly understandable for me, at least I know how it works, i guess this also means this exploit can be easily accessed?
this is awesome! loved the read