Security company gains read access on Google server

Spread the love

Researchers at a Swedish security company have managed to gain read access to a Google production system. This allowed them to read all local files and possibly break into the Google network further.

In their attempt to break into a Google server, Detectify’s researchers sought an outdated piece of the search engine, where developers can submit their own buttons for the Google Toolbar. For this, among other things, XML code with style elements must be uploaded.

However, the Toolbar Button gallery’s xml parser failed to check which files were loaded from the xml file. As a result, the researchers could in principle read any file, including files with passwords. These were local passwords used for system administration, not user passwords.

Potentially, however, the researchers could have dug much further: they could have gathered knowledge of the internal Google network to access other servers on the network, for example. Potentially, the vulnerability that the researchers abused, a so-called XML external entity, also offers the possibility to execute own code or a denial of service.

Whether that was also possible in this case is not clear: the researchers chose to report the security problem to Google. In exchange, they received a reward of 10,000 dollars, converted approximately 7200 euros.

You might also like
Exit mobile version