The Google Apps admin console allows administrators to manage their organization’s account. Administrators can use the console to add new users, configure permissions, manage security settings and enable Google services for your domain. The feature is primarily used by many businesses, especially those using Gmail as the e-mail service for their domain.

A criticalin theallowed cyber criminals to force a Google Apps admins to execute just about any request on the https://admin.google.com/ domain.

The XSS flaw allowed attackers to force the admin to do the following actions:

Creating new users with “super admin” rights

Disabling two-factor authentication (2FA) and other security measures from existing accounts or from multiple domains

Modifying domain settings so that all incoming e-mails are redirected to addresses controlled by the attacker

Hijack an account/email by resetting the password, disabling 2FA, and also removing login challenges temporarily for 10 minutes

This new zero-day vulnerability was discovered and privately reported by application security engineer Brett Buerhaus to Google on September 1 and the company fixed the flaw within 17 days. In exchange for the report, Google paid the researcher $5,000 as a reward under its bug bounty program.

According to the researcher, when users access a service that hasn’t been configured for their domain, they are presented with a “ServiceNotAllowed” page. This page allows users to switch between accounts in order to log in to the service.

However, when one of the accounts was selected, a piece of JavaScript code was executed in an attempt to redirect the user’s Web browser. JavaScript code could be supplied by the user in the “continue” request parameter of the URL, which allowed XSS attacks.

“The continue request parameter is fairly common request variable in the Google login flow,” Buerhaus explained in a This is the only page that I could find that did not validate the URL passed into it. This allowed you to craft Cross-Site Scripting attacks by using “javascript:” as part of the URL and it would execute when the browser location is redirected.“ ” Buerhaus explained in a blog post published on Wednesday. “

▼Advertisement