241 comments

[ 0.19 ms ] story [ 937 ms ] thread
Google cache: https://webcache.googleusercontent.com/search?q=cache:kv9fSs...

> Exploiting Clickjacking on Google YOLO allows visitors' name, profile picture and email address to be leaked. That's right, I can even know your email address. :). Click here if you want to see behind the sense (make sure you have logged in Google with a modern browser, PC preferably).

Google's reply to a VRP submission:

> Thanks for your bug report and research to keep our users secure! We've investigated your submission and made the decision not to track it as a security bug.

> The login widget has to be frameable for it to work. I'm not sure how we could fix this to prevent this problem, but thanks for the report!

That's why we don't trust login widgets, right?

Damn, the amount of user trust they just burned by closing that with "as designed, won't fix" is staggering.
Yeah, I read through the post and (assuming I'm parsing it right) can't figure out why this hasn't caused a massive shitstorm already. Are they actually arguing that it's not a security bug because it's necessary for them to implement a 'one click sign in through Google' feature?
Likejacking Facebook likes has been around for 8+ years, leaks a similar amount of information, and there’s no big shitstorm. Not sure what the big difference between YOLO and FB’s like button are?
To me Likejacking is more like harvesting organic likes. And YOLO leaks email address which is PII.
I was wondering whether this is actually the same as like jacking. Is the ‘leak’ in that case the ability for the Facebook page/post owner to be able to then look you up in the list of ‘likes’? If so, I think Facebook privacy settings may allow users to not leak their emails or pictures in this case.

Also, I think it’s more widespread given that ‘Google identity’ covers a large number of Google products, and signing into one signs into all. With Facebook any time I log in nowadays I open incognito, check messages, log out, whereas with Google I generally stay logged in, mostly because I want gmail and my cross device browsing history to work.

Do you get user's email from FB’s like button? (edit typo)
Yet they silently blocked his website from using this API thus acknowledging it's actually an issue.
Well, that did protect users from his site, at least :)
Sounds like a fix.

By the terms of the VRP it sounds like the reporter is owed a payout.

Bounty deserved, yes. Fixed? No, they only blocked his address, anyone else can still grab your info on their sites.
Exactly. If it was about "just whitelisted partners" he discovered it was actually "everybody." It's not different than discovering that instead of the password just an empty string is enough.
Shoot the messenger. SOP.

Maybe someone should tip off Google project Zero about this? Let's see if they mean it that they will hold themselves to the same standard.

Project PR exercise? doubt it, they only seem to pick holes in other companies software, if they ever took a long hard look at Android for instance then I imagine they could find a ton of problems, which is probably why they haven't, at least to the best of my knowledge.
Looks like they took it down for everyone [0]; maybe not the most elegant approach but at least it seems they're taking it more serious now.

[0]: https://stackoverflow.com/questions/50289065/google-yolo-sto...

It would be very interesting to see a split second exact timeline on this.
Indeed. A Google engineer stated on Twitter [0] that the shutdown of the service happened because apparently YOLO is only supposed to be accessible to whitelisted partners.

[0]: https://twitter.com/sirdarckcat/status/994867632355577862

So, whitelisted partners get the ability to rip your data?

I'm sure that will go down just fine. FB just got into a lot of trouble over something like that (arguably a lot more serious, but still).

They also state in the same Twitter thread that they were aware of the issue before the blog post was written. IANAL but even if the shutdown was intentional (as opposed to being the example of terrible damage control it looks like), willfully leaving a bug in production that allows a set of whitelisted partners to deanonymize their visitors without their consent seems like something that shouldn't fly in countries with data protection laws?
I just received a message back on Twitter saying that the whitelist wasn't the fix and they are still making more changes.

This is seriously denting my continued belief in Google's security chops. I know they have some of the finest security researchers on the planet but this was handled in a ham-fisted and ineffective way so far.

And best of all: without 'partner' status you won't be able to check if has been fixed.

>This is seriously denting my continued belief in Google's security chops. I know they have some of the finest security researchers on the planet but this was handled in a ham-fisted and ineffective way so far.

This is a great demonstration how a company can have all of the right talent but still manage to become incompetent through poor organizational policies.

Lets hope it doesn't happen again.
Just wait a couple of weeks until GDPR takes effect
It would be fine if they only gave whitelist access to people who could already simply access your data by request. But GDPR would only require that they know who could access, and that the access list be less than "the entire world".
They're burning developers and potential employees trust in the first place. This "we don't know how to fix it ==> not a bug" attitude is what's staggering.
To me it shows a gross indifference to being dishonest even when speaking in an official capacity.

I want to say that I hope this is isolated and not a systemic part of their company culture but at this point I can't help but be cynical after this.

This keeps happening over and over again. I remarked the other day that the most feared words when reporting a serious bug are 'won't fix'. It is super annoying. If the feature can't be made to work safely then drop the feature.
(comment deleted)
To fix this, there could be a new `X-Frame-Options`: `compose-over`. The browser rendering context will compose the frame separately, and always place it on the top of the rendering context, above every other element; regardless of the host page element's z-index, opacity, whatever.

It's kind of like how an app cannot draw over system UI; like the permissions dialog.

I'm surprised this is not how X-Frame-Options worked in the first place.

And make sure it has a minimum size so we don't get a 1px iframe following the cursor.
That's something the iframe can detect itself though through JS :)
But as pointed out in the article, JS method of detecting if your page was embbeded is a bit unreliable.
(comment deleted)
Why rely on a million different copy pasted implementations if one good implementation is possible?
Or maybe logging in ought to be handled directly by the browser in a way that couldn't be highjacked or phished easily. Do we really need a million different implementations of a login form?
UAF/U2F, which conveniently is part of the new webauthn standard that just got released in the latest Firefox update
NoScript Classic has/had clickjacking mitigation. I don't know if the updated version post-Quantum was able to retain this.
This is a really well written article.

I recall a video talking explicitly about this problem - it was something about using the browser paint API in conjunction with iframes for security? The gist was a browser should be able to tell in real time if an iframe is visible and should be able to block user input depending on whether or not the site was hiding the iframe, putting something on top of it, pushing it off screen, moving it around, etc...

But I can't remember the source. If I can find it, I'll add it in an edit. And of course if anyone else knows the talk I'm thinking of, please link.

Yep, very good.

It certainly makes me glad I did _this_ on my FB account:

>> You previously turned off platform apps, websites and plug-ins. To use this feature, you need to turn them back on, which also resets your Apps others use settings to their default settings. <<

.. but further to that, I should take my FB login and stick it in a Firefox container where it belongs.

NoScript includes protection against this! He calls it ClearClick:

" whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in "clear". At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction."

https://hackademix.net/2008/10/08/hello-clearclick-goodbye-c...

Anyone else too trusting in clicking the buttons? Brilliant idea to demonstrate the issue with a like to his own blog post!
> Shortly after thie article was published, Google silently prevented my domain from using the API: > The client origin is not permitted to use this API. > Welp.

So some buttons stoped working, and now you have to believe that everything was as the blog said. Well, it was.

And a "mitigation" from google being just avoiding the access to the API just makes things more interesting.

(comment deleted)
API ban was probably automatic due to HN effect.
Actually Google temporarily shuts down the service as I've tried changing API keys/domains but received the same error
A lot of Google employees are reading HN and actively posting so no surprise. Did they at least contacted you to properly open a ticket now that they implicitely recognized the vulnerability? Otherwise very very dickish move as it solve nothing and you basically worked for free...
Nothing
And now if anybody from HN team is listnening. Can you explain why this thread is fastly slipping from the front page?

Currently it’s being devanced by articles that are olders, with less upvote and fewer comments. Can you guarantee that nobody is able manipulate ranking? It’s only a hunch, but it’s not the first time that I notice that google related "bad buzz" move away from main page slightly faster than other...

PS: I’ll gladly accept downvotes. But answers on why I’m wrong or paranoid would have been better

(comment deleted)
Although I don't think this is some sort of conspiracy, HN front-page is curated content, ranking is not only based on votes.
(comment deleted)
Flags are a factor, and function as downvotes on articles but are much heavier weighted than upvotes.
There appear to be quite a few flags on the article pushing it down. The ratio of upvotes to age compared to the rest of the front page is a strong indicator of this.

Also: lots of HN'ers work at google. It would be a nice rule if people were told to abstain from using their flagging privileges when the company they work at is the subject of a thread.

Power corrupts. Absolute power corrupts absolutely. Absolute power hates when it is challenged in any shape or form
Thanks a lot for investigating. Otherwise I could’nt have excluded that it was only me being paranoid about that.
It looks like the situation has mostly corrected itself by now.
It's probably because a lot of Google folks are on here - protecting their brand. Unfortunately that part isn't transparent, but its hopefully a minor issue.
HN has moderation, so some stories can be pushed back into the /New stack by staff, they can fall again if aren't liked by the community
Ho do I hack into google I'm a kid and I want to make it say giberish instead of Google
does anyone know?
That doesn't sound plausible; what sort of service would YOLO be if a popular website using it resulted in an API ban?
I know I'm just one person - but I can confirm the content of the blog was accurate and the described attacks did work at the time I read it.
Quite a sketchy move from Google... Hope OP will eventually get a big bounty paid out.
> Google

Big companies trying to strangle hold the small ones -- nothing new, time to move on. Its pathetic.

> Now, I'm presenting you another button. It doesn't have much to say except "harmless", and I challenge you to click it.

In an article like this I can't help but think that the "[ ] Behind the scene" button is the real bait.

Am I safe from this exploit if I disable Javascript?
You may be protected from the specific examples provided in the blog post, but, on the whole, you will not be protected. Most of the underlying vulnerabilities here can be exploited with simple HTML and CSS.
Content blockers can also prevent embedded iframes from loading. The article looks like this for me using uMatrix in Firefox: https://i.imgur.com/pYFXRR3.png

Clicking the link opens the iframe in a new tab, so it's hard to click it again without noticing what's going on.

You can make it a bit more visible if you use the Stylus extension.

Unfortunately Chrome (and probably Firefox quantum) doesn't let you apply css agent_sheets (only user/author), so that style="display:none!important" on the iframes can't be overridden.

If you use older Firefox or Palemoon then you can use Stylish v2.0.7 and override it.

  /* AGENT_SHEET */
  iframe:hover{cursor:help!important}
  iframe{border:1px solid red!important;display:block!important}
  *{opacity:1!important}
Conveniently I had ignored the cookies button because it was not impacting the article text.
I saw it, immediately thought "this is clearly part of the demo", and clicked it, because I was certain it was going to be fun. Woe betide me and my poor risk valuation skills - but not today.
I'm looking forward to Google giving out a $100 reward or even nothing to the researcher.

Like they did to the guy who found the sitemap ranking bug in Google Search where he was able to let others pay for a first page ranking. He only got $1,337 and it took Google 6 months to fix it.

There should be another website where people bid on the bug. If Google cares enough about it, they'll out bid the people that want to exploit it.
Lol. A market for vulnerabilities? Pretty sure these exist already. ;)
This is a pretty clever idea. :) cuz you know Google makes money from ad bidding.
...and ought to store the current bids as search results on Google.
Just a thought, why not add play button to iframes as well, just like for videos that prevents auto play
You could still convince users to do a double click, no?
Honestly a decent sized chunk of users that I support double click most things anyway.

A large chunk of the user base doesn't know the functional difference between icons, hyperlinks and buttons.

Given that a large chunk of the web creator base seem to use these interchangeably nowadays, the confusion is unsurprising.
Unfortunately that is true, and it's really bad for accessibility too (using links as buttons, but not coding the keyboard events that are used on buttons, for example.
My dad double clicks everything. So yeah its super easy
Well, yes; you double-click the play button to play the video/iframe. I'd be more worried about "Oh, the button did nothing, I should try again.". The real fix is to not allow transparency/compositing.
does use different browser "profiles" while never signing into other sites help with this?
Yes, if you aren't signed in to other accounts most of these click jacking scenarios would need to convince you to sign in which would be pretty obvious.
(comment deleted)
Are elinks users safe?
Are elinks users safe from AFL ? If you are using elinks not in at least a container, you are asking for pownage.
What's AFL?
Oh, I know this AFL. But it didn't make sense in the context of your question, so I assumed you meant something else.

What do you mean by being "safe from AFL"?

Well, elinks is a cul-de-sac, and AFL would probably obliterate it, so elinks users are most probably putting themselves in more danger than they avoiding.
elinks doesn't render iframes, so this attack wouldn't work.
I've learnt my lesson.

In future I will dismiss cookie consent buttons by deleting it's DOM node from the inspector.

This would be a nice adblock list.
Considering cookie consent buttons will be gone in two weeks, I don't think that's gonna be of much value.

EDIT: Please research the GDPR and new ePrivacy regulation before you vote.

I bet you they'll still be around in a decade :)
They may be, but they'll be useless then. They're not considered consent anymore under the new regulations.
Being useless is just one more reason to adblock them.
I won't vote either way, but I will say that regardless of what GDPR may mean, "you need a cookie warning" will be accepted web dev mantra for years, and the things they build in that time will be around longer still.
The "you need a cookie warning" is yhe reason why the GDPR is actually so strict, though.

The goal was to let users opt out of tracking in the hope that the industry would self-regulate.

Now that it hasn't, GDPR is coming down hard.

Web devs really manage to fuck everything up.

None of what you said is true.

It's impossible to run a website that does anything significant (such as show ads, use UX to convert visitors, or even log in) without cookies.

The regulators don't even understand this, and nowhere has anyone gone on record saying this ignorant and misguided law was secretly intended to push an industry to "self-regulate" (regulate what, one wonders?)

GDPR being a response to anything having to do with cookies is only your interpretation, and a fairly absurd one at that.

Lastly, no one said you have to like web devs, but HN requires you to be civil, so I suggest you save the hatorade for Reddit.

You mentioning "log in" in this context makes it pretty clear you're also fairly ignorant about the specific topic. Log ins, shopping baskets, ... do not require a cookie notice.
Not only is what you're saying irrelevant to my point, you're wrong. "Log ins, shopping baskets" do require a notice if they are persistent, which almost all of them are. Looks like you're the ignorant one here.
Addendum: Google logged me out of some services and I had to re-login with 2FA. It seems that Google is doing something about this, but what exactly?
Sounds like an "oh shit" "self-destruct" button just to cover their asses while they figure it out.
Nope I think it's more some AI stuff who has triggered.
Happened to me too
(comment deleted)
> This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and we feel the issue you mentioned does not meet that bar :(

Do the right thing Google.

Yeah, now they blocked OP webpage according to an update on the blog. So, the demo doesn't work but it will work for any other malicious page.
Or maybe that simply mean this is not the FIRST REPORT of that technical security vulnerability that substantially affect the confidentiality or theirs user’s data.

Which is in a way even worse :(

I too reported a similar issue very recently to VRP and got the exact same response, except in the end there was a line

"If you think we've misunderstood or can provide a convincing attack vector, please do let us know!"

I think OP did not post this line in the blog; which makes Google look like they don't at all care.

No, it was the full email. Besides, I've tried to suggest a fix by prompting first time users but it's been ignored for a week.
This is why I use Firefox Containers.
The irony here is that the ridiculous "agree to cookies" requirement makes the users ever so slightly less safe. (Thanks, regulators.)
Interesting discovery: The facebook-like clickjacking doesn't work on Firefox when I have Facebook in its own tab-container (even though I'm logged in, just in that container, not the one I clicked on).

I'm not sure what the minimal repro is here, but if it's the containerization working as intended, that'd be awesome.

According to an update on the OP post Google apparently now silently blocked the OP webpage, so the exploit doesn't work in this case - but will still work for any other malicious page. Not cool Google.
Why doesn't the browser simply disable cookies for the iframe?
That would break lots of things that rely on this...