Hacking Google server using a malicious XML is possible

A Team of researchers discovered a critical XML External Entity (XXE) vulnerability on Google server that allows an attacker to access any internal file.

A group of researchers has discovered a critical vulnerability Google search engine that could allow an attacker to access the internal files of the production Google server. I desire to describe this case to remind you that there isn’t a platform totally secure and that the approach to security must be done through continuous review of our systems.

Curious that the researchers used Google dorking to search for vulnerabilities within unpopular applications managed by Google, The Google Toolbar button gallery was the application that most of all attracted their attention.

The researchers have uncovered a serious flaw in the Toolbar Button Gallery noting that Google’s feature allows users to customize their toolbars with new buttons by uploading XML files containing layout properties.

“Not two minutes later we noticed that the gallery provides users with the ability to customize their toolbar with new buttons. If you’re a developer, you’re also able to create your own buttons by uploading XML files containing various meta data (styling and such)”


Injecting specially crafted XML the attacker could force Google server, in particular the XML parser, to interpret the malicious XML code to load and include functionalities that could compromise the overall security of the server.

This kind of vulnerability is known as XML External Entity (XXE), as explained by OWASP, processing of an external entity containing tainted data may lead to disclosure of confidential information and other system impacts.

” There exists a specific type of entity, an external general parsed entity often shortened to an external entity, that can access local or remote content via a declared system identifier. The system identifier is assumed to be a URI that can be dereferenced (accessed) by the XML processor when processing the entity. The XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier. If the system identifier contains tainted data and the XML processor dereferences this tainted data, the XML processor may disclose confidential information normally not accessible by the application.” is reported in the blog post published by OSWAP.

The researcher succeeded to upload their malicious XML code, using the API specifications the researchers crafted their own button containing fishy XML entities to conduct the XXE attack.

The researchers were able to access to the /etc/passwd and the /etc/hosts of one of the Google server used in production and provided the images to prove the impact of their attack.

 “The root cause of XXE vulnerabilities is naive XML parsers that blindly interpret the DTD of the user supplied XML documents. By doing so, you risk having your parser doing a bunch of nasty things. Some issues include: local file access, SSRF and remote file includes, Denial of Service and possible remote code execution. If you want to know how to patch these issues, check out the OWASP page on how to secure XML parsers in various languages and platforms,” the researchers wrote onblog post.

An attacker exploiting the vulnerability discovered by the researchers could have access any other file on any Google server, or worse could gain access to internal systems through the SSRF exploitation.

There is also a happy ending, after contacted Google the researchers were rewarded with $10,000 bounty for identifying an XML External Entity (XXE) vulnerability in one of the search engine’s features.

Pierluigi Paganini

(Security Affairs –  Google server, hacking)

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.