Google WordPress Site Kit plugin grants attacker Search Console Access

Experts found a critical bug in Google’s official WordPress plugin ‘Site Kit’ that could allow hackers to gain owner access to targeted sites’ Google Search Console.

The Site Kit WordPress plugin makes it easy to set up and configure key Google products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimize, and AdSense), giving users authoritative and up-to-date advice on how to succeed on the web, it has over 300,000 active installations.

Experts from Wordfence found a critical bug in the ‘Site Kit’ plugin that could be exploited by authenticated attackers to gain owner access to targeted sites’ Google Search Console.

“This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.” reads the analysis published by Wordfence.

The vulnerability is caused by the disclosure of the proxySetupURL contained in the HTML source code of admin pages, it is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.

“In order to establish the first connection with Site Kit and Google Search Console, the plugin generates a proxySetupURL that is used to redirect a site’s administrator to Google OAuth and run the site owner verification process through a proxy.” continues the analysis.

“Due to the lack of capability checks on the admin_enqueue_scripts action, the proxySetupURL was displayed as part of the HTML source code of admin pages to any authenticated user accessing the /wp-admin dashboard.”

Experts also noticed another issue related to the verification request used to verify a site’s ownership was a registered admin action fails to check whether the requests to come from any authenticated WordPress user.

Chaining the two vulnerabilities it is possible to achieve the ownership of the Google Search Console allowing an attacker to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns.

“These two flaws made it possible for subscriber-level users to become Google Search Console owners on any affected site,” continues Wordfence.

“An owner in Google Search Console can do things like request that URLs be removed from the Google Search engine, view competitive performance data, modify sitemaps, and more. Unwarranted Google Search Console owner access on a site has the potential to hurt the visibility of a site in Google search results and impact revenue as an attacker removes URLs from search results. More specifically, it could be used to aid a competitor who wants to hurt the ranking and reputation of a site to better improve their own reputation and ranking.”

The good news is that Google sends an email alert when a new Google Search Console owners have been added allowing admins to remove the unknown owner.

As an extra precaution, admin can also reset the WordPress Site Kit connection so that they will have to reconnect all previously connected Google services.

Wordfence discovered the privilege escalation issue on April 21 and reported to Google on April 22.

Google addressed the vulnerability on May 7 with the release of Site Kit 1.8.0.

At the time of writing over 200,000 website owners have updated their Site Kit plugins, but over 100,000 sites are still vulnerable.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Site Kit, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]