Google Website Translator (Add Editor) CSRF and Google Tasks Clickjacking

May 04, 2013 Prakhar Prasad 1 minute

    I’d like to share some of my Google bugs.

    1. Google Website Translator CSRF (Add Editor)

    Allowed me to become an Editor on someone’s Google Website Translator Service.

    The page had CSRF Protection, but the CSRF token check was skipped on server side.

    Video POC:

    1. Google Tasks (Part of Gmail) Clickjacking

    Found a clickjacking issue in Google Tasks (Gmail), I was able to add arbitrary tasks in users' task list. The affected page was missing X-FRAME-OPTIONS header.

    Video POC: