The Google just fix a bug in its built -in feedback tool in Google Docs , which could be exploited by malicious attackers to steal screenshots with confidential documents and transfer them to malicious sites.
The flaw was discovered by security researcher Sreeram KL on July 9, and earned the investigator a prize, paid by the Google Vulnerability Reward Program, in the amount of US $ 3,133.70, about R $ 16.3 thousand.
The bug was located in the option “Send feedback” or “Help Docs to improve”, a very common tool in Google products, which allows users to send feedback with the possibility of attaching a screenshot, which is done automatically to illustrate specific problems.
How would a possible hacker attack on Google Docs work?
According to Sreeram KL, the flaw in Google Docs consisted of integrating feedback into other domains, using an iframe element, which allows the image capture of the “feedback .googleusercontent.com” pop-up. how the attack flow could work.
To exploit this flaw in Google Docs, a hacker would rely on the user’s “help”, and the data obtained would be limited to only the document from which the copy was sent. However, it represents a real risk of exposure of personal data, not to mention that, when it comes to people with malicious intent, little care is required.