Google Patches API Explorer Clickjacking Vulnerability

Google has patched a security vulnerability that could allow an attacker to compromise accounts associated with a wide number of Google services, including Gmail, YouTube, AdSense and Google Plus.

As detailed by Threatposts's Michael Mimoso, the vulnerability affected developers who have authorized access to their accounts through Google API Explorer, a tool that allows developers to interact with Google APIs through a Web-based interface.

To exploit the vulnerability, Google API Explorer users would need to be lured to a malicious website where they could be tricked into clicking on a button in an iFrame. That button would then execute a malicious action using a call to the API Explorer.

Paulos Yibelo, the researcher who identified the vulnerability, noted that such clickjacking attacks are easily thwarted with the use of an X-Frame-Options HTTP response header, but they are often "underestimated," giving would-be attackers opportunity to do damage.

Here, although the vulnerability only affected a relatively small number of users — developers who have authorized Google API Explorer to access one or more of their Google accounts — the ramifications were significant because of the broad access Google's APIs provide. API Explorer provides access to essentially all API endpoints provided by Google APIs, making it possible for an attacker to take many actions, including deleting content, accessing emails and viewing user activity.

Bug Bounties Show Mutual Success

According to Yibelo, he first reported the vulnerability he discovered to Google on April 12. After he sent additional information on April 21, Google fixed it that same day.

For his discovery, Google rewarded Yibelo with a $1,337 bug bounty. The amount, of course, is a reference to "leet" in hacker-speak, offering Yibelo some additional nonmonetary recognition from one of the world's largest tech companies.

Yibelo is just the latest researcher to receive a bug bounty from Google. Last month, the company provided a $5,000 bounty for the discovery of a YouTube bug. And Google is just one of a growing number of companies encouraging researchers, developers and power users to help them build better, more secure services through bug bounty programs.

While companies can't expect bug bounties to solve all their problems, this latest bug bounty success story demonstrates that monetary rewards and formal programs encouraging others to report the issues they find can bear fruit.

Be sure to read the next Security article: OpenDNS Creates Cloud Based Threat Intelligence API