Full Report
The author found several weird quirks and behaviors that were not useful individually. By combining all of these together, they were able to steal files on Google Slides with YouTube. Google Slides allows for the embedding of YouTube videos. When doing this, it makes a request to just add the video id to the page. Using a directory traversal, it's possible to go backwards on YouTube. Since YouTube has anti-framing protections on the main page couldn't be used but emojis, css/js and some other things could be framed. Our own website here would be nice to have! The author started looking for an open redirect on YouTube now. They first tried looking at how external links were processed but realized that it required an extra click. Next, they reviewed the authentication flow. Within the authentication flow, they found a redirect but only to a few YouTube subdomains. Luckily, they found an open redirect on accounts.youtube.com but ONLY for various Google products. The redirect chain is now YouTube->accounts.youtube.com->docs.google.com. Why is this helpful though? According to the author, Google Docs has SAMEORIGIN on the iFrame options, meaning we shouldn't be able to add iFrames on the page besides for itself. If a document has been framed, it automatically disables dangerous functionality like sharing though, making this hard to exploit. While looking through links, they came across docs.google.com/file/d/{ID}/edit. This page gives a preview of the file and allows for sharing the document as well. It also stays on the docs.google.com domain as well, instead of redirecting to the Drive. They remembered that Google had a feature that requested access to a folder. This will send an email with a link that prepopulates the request for information. While messing around with the fields, they noticed that they could turn this from two clicks to one click by adding in the userstoinvite parameter to the URL. Additionally, removing the capabilities option from the URL just defaulted to edit. Putting everything together doesn't frame the permissions page though. Why? Various people at Google mentioned that there is a mitigation in place for preventing cross-origin framing on the server-side. The server-side is checking the Sec-Fetch-Dest and Sec-Fetch-Site headers. To bypass this, the request BEFORE the file preview must be a same origin redirect, instead of coming from YouTube. Instead of finding another open redirect, they realized that ANY change in the URL with a redirect was fine. For instance, https://docs.google.com/a/a/file/d/edit would go to the main file after the redirect. To make this more believable, they put a Google Form over the top of the docs link with a hole over a particular portion of it. All it takes is one click! Here's the full attack: Create a Google Slide with the crazy URL as an embedded URL. User loads the Google Slideshow which will load the page we need with the steps below. Path traversal is performed on YouTube.com to move to accounts.youtube.com. Use the redirect from accounts.youtube.com to the /a/a google doc link. Redirect is done to go to the document sharing link. User clicks on the iFramed box, giving the attacker access to it. The amount of steps and problem-solving here was amazing! I found this via James Kettle and this post did not disappoint at all. The more I read about client-side security, the more I realize I know nothing about the browser. Great post!
Analysis Summary
# Vulnerability: Unauthorized Google Drive File Access via YouTube Embed & Clickjacking
## CVE Details
- **CVE ID:** N/A (Discovered via Google Bug Hunter program; Google typically does not issue CVEs for web-based infrastructure flaws unless they affect on-premise software).
- **CVSS Score:** 8.3 (High) - Estimated based on unauthorized access to private data.
- **CWE:** CWE-20 (Improper Input Validation), CWE-601 (Open Redirect), CWE-1021 (Clickjacking).
## Affected Systems
- **Products:** Google Slides, YouTube, Google Docs/Drive.
- **Versions:** Cloud-based SaaS (fixed as of September 2024).
- **Configurations:** Any Google account with access to Google Slides and private files in Google Drive.
## Vulnerability Description
The vulnerability is a complex exploit chain combining four distinct weaknesses:
1. **Path Traversal in Slides Embeds:** Google Slides allowed users to embed YouTube videos via a `videoid`. By inputting `../`, an attacker could traverse from `youtube.com/embed/` to the YouTube root domain.
2. **Open Redirect via Auth Flow:** A redirect flaw existed on `accounts.youtube.com`, allowing a chain to move from YouTube to `docs.google.com`.
3. **Bypassing Security Headers (`Sec-Fetch-Site`):** Google Docs implemented server-side checks for the `Sec-Fetch-Site` header to prevent cross-origin framing. The researcher bypassed this by using a "same-origin redirect" (e.g., `docs.google.com/a/a/link` redirecting to `docs.google.com/link`), tricking the server into believing the request originated from within Google Docs.
4. **One-Click Sharing Request:** The `docs.google.com/file/d/{ID}/edit` endpoint could be manipulated with the `userstoinvite` parameter. This pre-populated a sharing request that, when clicked, instantly granted the attacker "Editor" permissions to the victim's file or root folder.
## Exploitation
- **Status:** PoC Available (Confirmed by Google VRP).
- **Complexity:** High (Requires chaining multiple quirks and bypasses).
- **Attack Vector:** Network (Web-based).
- **Social Engineering:** Required (User must click a button on a malicious Google Slide).
## Impact
- **Confidentiality:** High (Attacker can gain access to private documents and entire Google Drive folders).
- **Integrity:** High (Attacker gains Edit permissions on files).
- **Availability:** Low (Standard file access impacts).
## Remediation
### Patches
- **Vendor Fix:** Google has implemented server-side mitigations to prevent the YouTube path traversal and tightened the redirect logic on `accounts.youtube.com`. Extensions to the `Sec-Fetch-Site` validation were also applied.
### Workarounds
- Users should be cautious when interacting with shared Google Slides from untrusted sources, especially if urged to click on transparent or strangely placed elements.
## Detection
- **Indicators of Compromise:** Unexpected "Access Request" emails from Google Drive or audit logs showing unknown users being granted "Editor" permissions on sensitive files/folders.
- **Detection Methods:** Security teams can monitor for Google Slides containing YouTube embed URLs with path traversal sequences (`..%2f`).
## References
- **Original Research:** hxxps[://]lyra[.]horse/blog/2024/09/using-youtube-to-steal-your-files/
- **Google Bug Hunters:** hxxps[://]bughunters[.]google[.]com/
- **James Kettle (Context):** hxxps[://]x[.]com/albinowax/status/1836773299723555246