Google employee pwned by XSS bug in Chrome extension

Emails and other data from the Gmail account exposed

A security researcher successfully gained access to a Google employee’s emails, customer data, and other sensitive information thanks to a vulnerable extension in Chrome.

Researcher Rojan Rijal successfully executed a blind cross-site scripting (XSS) bug against a G Suite employee after he was asked to trial the ’Hire with Google’ service.

Rijal, a G Suite admin, received an email from a sales team employee and decided to try his luck at sending a blind XSS – which, in turn, paid off.

He filled out a form to demo the new service, he wrote in a blog post, and inserted a blind XSS payload in his name.

Hours later, he realised it had executed – giving Rijal access to emails between the employee and their colleagues.

He also accessed the data of other G Suite users who had filled in their details in order to trial or buy the service.

And Rijal says he was able to view other “sensitive information”, the nature of which he did not disclose.

Rijal told The Daily Swig: “Initially when I found it, I was not sure if it was valid at all because I thought it might have been a false positive.

“Then I realized that it was a @google.com email where it executed. So, I got excited and filed the report.”

Vulnerable extension

After contacting Google, the tech giant’s security team worked together with Rijal to identify the cause of the problem.

They discovered that the vulnerability lay in the Chrome extension that the employee was using.

Rijal said: “At first, I was not sure how the XSS even executed in mail.google.com but Google was pretty transparent when they rewarded the bounty.”

He added: “I was satisfied with Google’s response.”

This latest vulnerability is another example of why users should be wary when using browser extensions.

Because while browser extensions can be a handy and important tool for many security buffs and computer users alike, they can also harbor malicious code.

Take the Stylish browser, for example, which was recently found to be tracking users’ internet usage after it was sold to a web analytics company.

Rijal told The Daily Swig: “Honestly, I think browser extensions can be a good and bad at the same time.

“Considering how many plugins are out there, you can never tell which is more secure unless you decide to check its code and do a review of it before installing.

“One thing for sure people have to be on lookout for is extensions that have permission to modify websites you visit.

“Even though the site might be safe, because the extension can modify its content, you are going to be one bug away from getting pwned.”