Google’s April Fool’s prank inadvertently broke their security

Share it:
On April Fools day, Google used its own .google gTLD to launch a backwards version of its home page from the domain com.google .  But this idea was technically not good for Google itself. In making pranks for its users Google had inadvertently broke some of the site's security.

According to a blog post published Friday by researchers from Netcraft, Google undermined an important security feature on Google's real homepage, which made it vulnerable to user interface redressing attacks such as click-jacking.

Attackers could have seized on the omission of the X-Frame-Options header to change a user's search settings, including turning off SafeSearch filters. The chief reason for using X-Frame-Options is to prevent the use of HTML iframe tags to display Google's homepage on third-party Web pages. With that protection bypassed, attackers were free to stitch the Google page into their own site and embed hidden code that changed the function of certain links.

On the blog post researcher explained that -
Google uses the X-Frame-Options HTTP response header to prevent other websites from displaying itself within an iframe. But for April fool pranks Google stepped around this problem by passing the parameter "igu=2" to google.com, which not only told it to display the content backwards, but also instructed the server to omit the X-Frame-Options header entirely.
By dropping the X-Frame options Google allows a remote attacker to display the Google Search Settings page in an iframe on an external domain, and trick his victims into unwittingly changing those settings..

Researcher have shown the two different responses, one of normal site and second of Fools day site.
This is the ordinary response from Google search setting page
HTTP/2.0 200 OK
Alternate-Protocol: 443:quic,p=0.5
Cache-Control: private
Content-Encoding: gzip
Content-Length: 35486
Content-Type: text/html; charset=UTF-8
Date: Wed, 01 Apr 2015 09:54:14 GMT
Expires: Wed, 01 Apr 2015 09:54:14 GMT
Server: gws
Set-Cookie: [redacted]
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: h2-15
And this is with igu=2 parameter appended, where X-Frame-Options header was omitted from the response .
HTTP/2.0 200 OK
Alternate-Protocol: 443:quic,p=0.5
Cache-Control: private
Content-Encoding: gzip
Content-Length: 33936
Content-Type: text/html; charset=UTF-8
Date: Wed, 01 Apr 2015 09:58:30 GMT
Expires: Wed, 01 Apr 2015 09:58:30 GMT
Server: gws
Set-Cookie: [redacted]
X-XSS-Protection: 1; mode=block
X-Firefox-Spdy: h2-15
By omitting the X-Frame-Options header, allows the page to be displayed in a frame. As a result, anyone was free to display the Google search settings page within an iframe on their own site.

Currently, the issue has been reported to Google team by Netcraft and its has been fixed now. 
Share it:

Google

News

Research

Security

Post A Comment:

0 comments:

Follow by Email