Privacy Ninja

Google Docs Bug Allowed Cyber-spies To Screenshot Private Documents

Google Docs Bug Allowed Cyber-spies To Screenshot Private Documents

A security vulnerability in Google Docs allowed malicious hackers to take screenshots of private documents, a security researcher has found.

Reported by Sreeram KL under the Google Vulnerability Reward Program, the bug arises from a misconfiguration in the popular online word processor.

Stealing the screenshot

Many Google products have a ‘Send Feedback’ feature that allows users to report issues (in Google Docs it is called ‘Help Docs improve’). The dialog includes an option to send a screenshot along with the report, which is enabled by default.

Since the feature is shared across many applications, it is embedded as an iframe element from the main domain.

To enable interactions between the Google Docs window and feedback iframe, screenshots taken from the Google document are stored in and sent across domains.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

Sreeram’s goal was to find a way to cause the feedback iframe to post the screenshot to an arbitrary domain.

Previous research has shown that misconfigurations in headers can create opportunities to steal information from iframes.

PostMessage misconfiguration

Websites can include an x-frame-options header that, if set, can prevent clickjacking attacks and redirection of post messages to other domains.

Unfortunately for Google, the header was missing from the Google Docs application, so when you embedded it as an iframe in another webpage, you could manipulate the post destination of its inner iframes, namely the feedback dialog.

When a user types in feedback and clicks send, the screenshot of the Google document is sent to the attacker’s arbitrary domain.

“PostMessage misconfiguration has been a hot topic in recent times, so I was actively looking for one on Google products,” Sreeram told The Daily Swig.

The researcher was also inspired by a solution to one of bug bounty platform Intigriti’s cross-site scripting (XSS) challenges.

“I was always amazed by Intigriti’s XSS challenges. I wanted to exploit quirks from those challenges in real-world applications – and it worked,” he said.

Sreeram posted a proof-of-concept video on YouTube:

This kind of bug is not limited to Google web applications.

“I strongly believe many other websites could also be affected by the similar bug, because many people aren’t really aware that the location of iframes can be replaced by a cross-origin domain,” the researcher warned.

Also Read: Letter of Consent MOM: Getting the Details Right

Sreeram is currently ranked 37 on Google VRP’s hall of fame. This catch netted him a $3,100 bug bounty. Google has patched the bug following Sreeram’s report.

Outsourced DPO – It is mandatory to appoint a Data Protection Officer. Engage us today.

PDPA Training (SkillsFuture Eligible) – Empower data protection knowledge for your employees.

Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.


Leave a Reply

Your email address will not be published. Required fields are marked *


Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.

Powered by WhatsApp Chat

× Chat with us on WhatsApp