Spare Clock Cycles Hacking is freedom.

3Feb/1137

Google Analytics XSS Vulnerability

This post documents an XSS vulnerability I discovered in the event tracking functionality provided by Google Analytics. Given a website's Google account number (which can be found in the site source), one could spoof specially crafted events that, when clicked in the administrative interface, would run arbitrary Javascript in the victim's browser. This would allow an attacker to, among other things, hijack the account. Although it did not affect as many users as the Gmail XSS vulnerability did, it posed a significant risk to many site administrators, who are prime targets for attack.

Vulnerability Discovery

Back when I released d0z.me, I realized that I had never set up event tracking for tarball downloads on my site. While getting this configured, I got curious as to how well Google sanitized the incoming data, given that a malicious user could arbitrarily define what events would be sent and then presented to an administrator. I wrote up some incredibly simple Javascript that would send an XSS testing string in the various fields provided by the event tracking API. After waiting a few minutes for it to update in the Analytics interface, I inspected the results.

Sure enough, while double quotes and tag characters were escaped in the corresponding link, single quotes were not. This would have been OK (the rest of their js code uses double quotes religiously for strings), but their use of Javascript link handlers and the need to pass an array of strings made the problem exploitable:

Good:
href="event_object_detail?id=XXXXXXX&pdr=XXXXX-XXXX" onclick="whatever_needs_doing()"

Bad:
href="javascript:analytics.PropertyManager._getInstance()._broadcastChange('events_bar_detail', ['type', 'location'+alert('xss')+'', 'event_action'])"

Interestingly, the Top Events section of the Event Handling page seems to be the only place in the Analytics admin interface where Javascript is called like this, which might have been part of the reason the vulnerability existed. It also did not overtly break the page, which might have kept testers from noticing. Getting into the Top Events section is trivial, as one only has to loop the Javascript as much as desired.

In Action:

Analytics XSS Demo

Analytics XSS Demo

Note that the malicious nature of the link is only obvious for demonstration reasons. Simply putting a legitimate URL in front of the malicious payload would hide it from the user.

Disclosure

I contacted Google regarding the vulnerability on January 5th, with relevant PoC code. They replied on the 6th, confirming the vulnerability, and confirmed that a patch had been written and was being tested on the 12th. On February 3rd, they confirmed their testing was complete, and that the patch was in place. I confirmed with my own tests, and then publicly disclosed. In addition, I was awarded $1000 for the report. Not bad for a little bit of Javascript and poking around. :P

Unrelated Blather

To those wondering where I've been the past month or so, I have been busy IRL getting set up at grad school among many things. As this blog is mainly to document the research and such that I am doing, the amount I post is directly related to the time I have to mess with things. I promise, updates to d0z.me soon, as well as my first Android vulnerability (yay!), and then whatever I feel like posting on after that. It's good to be back!

Comments (37) Trackbacks (3)
  1. Nice work man, grats on everything =-)

  2. Ooh, another very nice find! :-)

  3. @Kyle Thanks! I appreciate it!

    @Neal Thanks, I was pretty pleased with it. Not quite at your quantity of bugs yet though :P And I’m still looking to grab one of those reddit white hat trophies…

  4. ‘”–>alert(‘XSS’)

  5. Not entirely sure what you’re getting. I just double checked both my proof of concept and the example of a bad link, and both seem to be correct. Could you elaborate?

  6. Did it really took Google nearly a month to fix this in production? Amazing…

  7. @Marcin Yes, it did. I was quite surprised how long it took, given the quick turnaround I had had with other bugs. My guess is that the communication needed between the Android and Gmail teams slowed things down a lot, and was compounded by the holidays.

  8. Hey great blog!Does running a blog like this require a lot of
    work? I’ve virtually no expertise in programming but I was hoping to start my own blog soon. Anyway,
    if you have any recommendations or tips for new
    blog owners please share. I know this is off topic nevertheless I simply wanted tto ask.
    Appreciate it!

  9. When someone writes an article he/she maintains the plan of a user in his/her
    brain that how a user can know it. Thus that’s why this paragraph is
    amazing. Thanks!

  10. Write more, thats all I have to say. Literally, it seems as though you relied on the video to make your point.
    You clearly know what youre talking about, why
    waste your intelligence on just posting videos to your site
    when you could be giving us something informative
    to read?

  11. I like the helpful information you provide in your articles.
    I’ll bookmark your weblog and check again here frequently.
    I’m quite sure I’ll learn lots of new stuff right here!
    Good luck for the next!

  12. great submit, very informative. I ponder why the opposite
    experts of this sector don’t understand this. You should proceed your writing.
    I’m sure, you’ve a great readers’ base already!

  13. Fantastic post however I was wanting to know if you could write a
    litte more on this topic? I’d be very grateful if you
    could elaborate a little bit more. Cheers!

  14. Fantastic blog! Do you have any hints for aspiring writers?
    I’m hoping to start my own blog soon but I’m a little lost on everything.
    Would you propose starting with a free platform like WordPress
    or go for a paid option? There are so many choices out
    there that I’m completely confused .. Any recommendations?
    Kudos!

  15. I do agree with all of the ideas you have offered in your post.
    They’re very convincing and will definitely work. Still, the posts are too short for novices.

    May you please extend them a bit from subsequent time?
    Thanks for the post.

  16. Greetings! This is my first visit to your blog!

    We are a team of volunteers and starting a new project in a community in the
    same niche. Your blog provided us useful information to work on. You
    have done a outstanding job!

  17. Pretty nice post. I just stumbled upon your blog and wanted to say that I’ve truly enjoyed surfing around your blog posts.
    In any case I’ll be subscribing to your rss feed and I hope you write again soon!

  18. Thanks for finally talking about >Google Analytics XSS Vulnerability

  19. Why users still use to read news papers when in this technological globe everything is accessible
    on web?

  20. Hey There. I discovered your blog the usage of msn. This is an extremely well written article.
    I will make sure to bookmark it and come back to
    read more of your helpful info. Thanks for the post.
    I’ll certainly return.

  21. My brother recommended I would possibly like this web site.
    He used to be totally right. This publish truly made my day.
    You cann’t believe simply how a lot time I had spent for this info!
    Thanks!

  22. Hi there friends, its wonderful paragraph concerning teachingand
    fully defined, keep it up all the time.

  23. Valuable information. Lucky me I discovered your website accidentally,
    and I’m shocked why this coincidence did not
    took place in advance! I bookmarked it.

  24. I love your blog.. very nice colors & theme. Did you create this website
    yourself or did you hire someone to do it for you?
    Plz respond as I’m looking to construct my own blog and would like to know
    where u got this from. kudos

  25. It’s nearly impossible to find educated people in this
    particular subject, however, you sound like you know what you’re talking
    about! Thanks

  26. Hey There. I found your blog using msn. That is a really smartly written article.
    I will make sure to bookmark it and return to learn extra of your helpful info.
    Thank you for the post. I’ll certainly comeback.

  27. I couldn’t refrain from commenting. Exceptionally well written!

  28. Very quickly this website will be famous among all blog people, due
    to it’s fastidious articles

  29. Wow, amazing blog structure! How long have you ever been running a blog for?

    you make blogging look easy. The whole glance of your site is magnificent, as smartly as the
    content!

  30. Inspiring story there. What happened after?

    Good luck!

  31. What’s up, its pleasant paragraph on the topic of media print,
    we all be aware of media is a wonderful source of information.

  32. What’s up everyone, it’s my first pay a visit at this
    web page, and paragraph is truly fruitful designed for
    me, keep up posting such content.

  33. Hmm is anyone else encountering problems with the images on this
    blog loading? I’m trying to determine if its a problem
    on my end or if it’s the blog. Any suggestions would be greatly appreciated.

  34. At this time it appears like Movable Type is the top blogging
    platform available right now. (from what I’ve read)
    Is that what you’re using on your blog?

  35. Thanks in favor of sharing such a pleasant thought, paragraph
    is pleasant, thats why i have read it entirely


Leave a comment