Google account cookie theft via blogspot

Intro

Hi all,

I'm going to run through this as I do it. That's because, even if it doesn't work on , I don't think this is a bad idea per se. It could work on other sites similar to blogspot that allow you to directly edit HTML and add scripts to a site with external cookies on them. If this comes to an abrupt end, then I'll definitely try some of those. I'm also pretty sure this has limited use see.

Idea

After seeing some examples of XSS being used to steal sessions. Now XSS is usually used to steal the cookies of someone else's site, but I had a thought - what stops you from stealing other website's cookies on your website, from other websites. For example, if you have a google account cookie on your blog, can you steal that? This has probably been thought of before, and it has probably been thought of. However, I feel like knowing something has been done before, or knowing that it isn't possible, can often get in the way of a good learning experience.

Execution


First thing to do, make a new site, which will contain the payload. Luckily I had a spare blogspot site left over from a different project. Looking over the site, I then had to find out where cookies were on the site. Luckily, I didn't need to look far.

It turns out that while the main page doesn't have any Google cookies on it, the comment page does. Unfortunately, you need to actually convince someone to make a comment. This is even less useful than I assumed, but still, possible is possible. Is there any other way of doing this on blogspot? My first thought was plugins. I was sure I remembered something along those lines from about 4 years ago, but no

This was the point where it dawned on me that you're probably not using the same cookies for some random blogspot website as for gmail. However, I was only a little bit perturbed by how stupid and impractical this was, so I set about making another blog to call back to.

Now, I didn't want to spin up a server or whatever, and I couldn't use get it to call back to a php file because blogspot doesn't work with those. So instead my brain fixed on an idea so stupid it might just work: comments. You see, you can post a comment on a blog, and you don't need any verification unless someone specifies. Brilliant, right?

No

There seems to be a security token to stop bots etc making requests. At this point,  the focus moved from making this work well, to seeing if it'd work at all. I decided to just set up a simple http server with the python module, and then have it go to the server's ip/[cookie]. This would at least let me know if this would work at all, if you really put some effort into this.


First I tried embedding javascript into a post. It worked, as you can see from the above image. Changing it to a standard XSS script didn't quite work however. No attempt to access this URL was logged by the site, so I set about trying to find out what was wrong. Creating an alert for the document cookie, this didn't work. The alert appeared but there was nothing in it. At this point, I realised that google didn't want this to happen, and any attempts to get around this were going up against one of the most security-concious companies in the world, and would be futile.

Still I trudged on, and I'll be honest I have learnt something, I had no idea you clould block document.cookie from being used. I tried a couple variations from this very useful website, and none of them worked out, so I then moved on to trying to add an alert to the theme of the page, to see if that would work instead. It didn't. Couldn't even get an alert to appear.

Conclusion

I've definitely learnt a few things today:
  1. Don't bother with anything, Google has already thought of it (Who'd have thought).
  2. These things may at least work better than you expected.
  3. You can block these kind of attacks very easily. Hell, you can make session theft pretty much impossible by having a robust set of blocks against script using cookies. However, what effect this would have on the website normally using cookies I'm unsure about. Doesn't seem like much, but I don't want to be too hasty
As well, I've got a solid base of experience for something I can test in the future. I didn't expect anything to come of this, but it might be depending on what safeguards are on websites that allow you to edit its HTML. I mean, not every company is Google, right?

Comments

Popular posts from this blog