Webcams exposed in Google Drive clickjack attack

Attackers can access a user's Google Drive files and record them through their webcam by tricking the user into clicking hidden links, a researcher found.

The click-jacking attack takes advantage of the Google Picker application interface, which allows users to preview files stored within Drive and via third-party applications. 

In a demonstration of the attack, researcher Tom Van Goethem (@tomvangoethem) showed users could be tricked into allowing an attacker to access private PDF files.

The video showed how a clickjacking attack - crafted as a simple game requiring user mouse-clicks - could hide check boxes that, when clicked, granted access to Google Drive files.

"... Google fails to verify whether a user is authorised to view the sensitive thumbnail," Van Goethem wrote in a post.

"Hell, they even allow unauthenticated access to the thumbnail! At the time of writing, this is still not fixed. A thumbnail - actually a clear snapshot of the first page of the document - for the selected PDF file is publicly available for 1-2 hours, allowing more than enough time for the attacker to download the file."

Google has been contacted for comment.

Van Goethem created a proof-of-concept for the Direct Object Reference vulnerability, which meant clickjacking attacks could "activate the camera, record a movie, store it to Google Drive, and send a thumbnail to the attacker".

Google appeared to have first intended to close the hole more than a year ago, according to a post by company engineer Kuntal Loya. He said Picker was supposed to fail without an OAuth token last month, but that change had been delayed to April.

Van Goethem reported his findings in September last year, but the vulnerability has yet to be fully fixed by the internet giant.

Google has changed Picker so it denies the ability - via a security header - for third party sites to load its content into frames, therefore scuppering the clickjacking attack.

But attackers could change the deny directive to 'allow-from', which means users on browsers such as Chrome, Safari and Opera could be targeted.

Security experts have called for security X-Frame headers introduced in Internet Explorer in 2008 to be used to reduce clickjacking attacks. (pdf)

Only around 30,000 of the top 1 million websites currently use the security header, according to a November report by application security company Veracode, which found there there was a "long way to go" for wide adoption of the security measure.

Update 21/2/14: Google said in a statement it is aware of the issue and is working to fix it.