Path manipulation fools IE and Edge into loading external scripts

Less than a month after coming forward with a bug in Google’s single sign-on widget, ethical hacker File Descriptor has published a new write-up detailing a flaw in Google Fusion Tables, the free data visualization web app.

In a recent blog post, the researcher demonstrates how a quirk in the way Microsoft’s Internet Explorer (IE) and Edge browsers handle URL decoding could be combined with a path parameter flaw in Fusion Tables and a relative URL, allowing an attacker to load external scripts on the Google domain.

The attack fools IE or Edge into retrieving a different URL from the one expected, before using the open redirect function in Google AMP to load external content.

This bug is a relative path overwrite (RPO) vulnerability, and the results are the same as XSS: an attacker could import scripts and execute JavaScript in the context of google.com.

File Descriptor received $5,000 for his responsible disclosure, plus a $1,000 bonus for what Google called a “cool bug and novel approach”.

“Google has fixed this class of bug by moving many products to dedicated subdomains and removing support for path parameter,” the researcher said.