Change OAuth Target URL & Domain Description [ UI redress attack ]

I forgot to blog about my another Google bug.  Now a days i am got busy in my start up project ! I hope so i will back soon on bug bounty will have some god blog out !

To Change OAuth Target URL & Domain Description Can be achieved using Clickjacking Vulnerability . Click Jacking is commonly know as OWASP Top 10 Vulnerability.

Status: Fixed

OAuth is cool and simple to understand developer can integrate with Google ‘s OAuth endpoints seamlessly and effortlessly . Google Provider a Panel to manage the Return URL & Domain Description by using following URL.

Vulnerable URL : https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com

On the page there two input box called as Target URL path prefix: & Domain description: where use submit Domain & description information.

As Shown in the following Image :

Change OAuth Domain & Description

POC : < i f r a m e s r c = “https://accounts.google.com/ManageDomain?authsub_msd=anydomain.com” width=”600″ height=”600″> // Not actual POC

Header Information :

As you can see missing Header information in the below Header Information

Host: accounts.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

Special thanks to Google Security Team & G4H(garage4hackers.com) Team ..