CSRF & Clickjacking : Google Document, Drawing, Forms, Spreadsheet,
Presentation


Attacker can create Google Document, Drawing, Forms, Spreadsheet,
Presentation in the Victim's Google Drive and get a Can get Permission to
that Document. In Simple terms the created document will be shared with the
attacker.

*Vulnerable Domain:*

https://docs.google.com

*Google Services Vulnerable this attack: *

https://docs.google.com/drawings
https://docs.google.com/forms
https://docs.google.com/spreadsheet
https://docs.google.com/presentation
https://docs.google.com/document

*Tested Browser Versions *
*
*
Attacker Browser: Internet Explorer 9
Victim Browser : Google Chrome Version 25.0.1364.152 m  Updated

POC Video

http://www.youtube.com/watch?v=OJaPIg_sMek

*Reference*
*
*
http://thehackernews.com/2013/03/hacking-google-users-with-googles.html
*
*
*
*
*Steps*:

- Attacker will send a mail to the victim that contains the Malicious URL.
- Victim will Click and Interact with it.
- Attacker will be successful in creating a document in Victim's Google
Drive with the Edit Permissions

Regard's

*Christy Philip Mathew*
Information Security Researcher

Mob: +91-9555223888