In association with heise online

14 April 2008, 12:28

Vulnerability in Google spreadsheets allows cookie stealing

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security researcher Billy Rios has discovered a vulnerability in Google Spreadsheets which attackers can exploit using links to crafted tables to steal a user's cookie. According to Rios, the victim has to follow such a link in Internet Explorer. The stolen cookie can be used to access all Google services with the victim's identity, including reading the victim's Google Mail.

Rios explains on his blog that the security vulnerability results from incorrect content-type headers or the browser ignoring these headers in HTTP responses returned by the server. The problem is not confined to Internet Explorer: according to Rios, Firefox, Safari and Opera can also ignore the content-type header and attempt to determine the server response content type themselves.

Rios has succeeded in exploiting the vulnerability by injecting HTML content into the server response. To do so he generated a table, the first cell of which contained HTML code and a snippet of JavaScript for displaying the user's cookie. Google spreadsheets can export data in the text-based csv format, which Internet Explorer interprets as HTML.

“With this single XSS, I can read your Gmail, backdoor your source code (, steal all your Google Docs, and basically do whatever I want on Google as if I were you!” notes Rios. Google has now fixed the vulnerability and the browser now renders such crafted table content as text rather than HTML.

Just last week Rios published details of a vulnerability in Google Code, by exploiting which attackers could steal user passwords. In collaboration with Nathan McFeters he has previously discovered and demonstrated the Windows URI vulnerability and vulnerabilities in Google's Picasa.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit