Disclaimer: This issue isn’t patched and I publish this write-up as a source of Information. I am not responsible for any kind of misuse or harm performed against the users on this product by exploiting this issue.

Hi All, Hope everyone is safe and healthy during this #COVID-19 pandemic. I’m back with a write-up and this will be related to a bug that I found on Google Forms Platform.

It is a creative bug based on chaining of Clickjacking and CSRF (Cross-Site Request Forgery).

Let’s take a basic walk-through, Google Forms helps in creating forms and collecting massive/large(in numbers) data’s in digital format. It is currently been used by Schools and Colleges for examinations, Recruiting Companies to collect employee information, Public event handlers, and Many more.

Take a scenario, A Company is having a challenge(question to solve) for passing the hiring process in a college. So, they create a form to collect the answers. It will having Email Id, Name, Mobile Number and Answer.

Info. Form can be submitted only once with the official college email id and additional entries are not allowed. Forms Setting. Limit to 1 response per user.

Now, Let’s submit the response and look for the request sent.

There are multiple parameter sent with the request and importantly note the first four parameters with user data.

Now, I’m replicating the request with first four parameters alone and see that happens.

We got to find that it redirects to the Google forms page. Let’s add a technique to make it possible to attack. What if we add this page in an iframe?

Gottcha !! Now you can exploit this. All you need is to add some CSS(Styling) to the page and make the user click it.

Now, After this process. A user would find that the forms were already submitted [ Unknowingly Form Got Submitted through this Attack ]

In the end, a College student is made to submit some data which is unknown to the student but is submitted in his name.

It can be widely exploited by targeting someone. Let’s say If I want to make my enemy to fail in this hiring test. I will particularly target him and launch this attack.

I reported this bug in Google’s VRP Platform but the response was !!

NOTE: This writeup is published after the clearance from Google VRP Team.

Thanks for reading. Meet you next time, with another write-up. Follow me up on Instagram, Twitter, and LinkedIn.