Categories: Hacking

Hacking Google server using a malicious XML is possible

A Team of researchers discovered a critical XML External Entity (XXE) vulnerability on Google server that allows an attacker to access any internal file.

A group of researchers has discovered a critical vulnerability Google search engine that could allow an attacker to access the internal files of the production Google server. I desire to describe this case to remind you that there isn’t a platform totally secure and that the approach to security must be done through continuous review of our systems.

Curious that the researchers used Google dorking to search for vulnerabilities within unpopular applications managed by Google, The Google Toolbar button gallery was the application that most of all attracted their attention.

The researchers have uncovered a serious flaw in the Toolbar Button Gallery noting that Google’s feature allows users to customize their toolbars with new buttons by uploading XML files containing layout properties.

“Not two minutes later we noticed that the gallery provides users with the ability to customize their toolbar with new buttons. If you’re a developer, you’re also able to create your own buttons by uploading XML files containing various meta data (styling and such)”


Injecting specially crafted XML the attacker could force Google server, in particular the XML parser, to interpret the malicious XML code to load and include functionalities that could compromise the overall security of the server.

This kind of vulnerability is known as XML External Entity (XXE), as explained by OWASP, processing of an external entity containing tainted data may lead to disclosure of confidential information and other system impacts.

” There exists a specific type of entity, an external general parsed entity often shortened to an external entity, that can access local or remote content via a declared system identifier. The system identifier is assumed to be a URI that can be dereferenced (accessed) by the XML processor when processing the entity. The XML processor then replaces occurrences of the named external entity with the contents dereferenced by the system identifier. If the system identifier contains tainted data and the XML processor dereferences this tainted data, the XML processor may disclose confidential information normally not accessible by the application.” is reported in the blog post published by OSWAP.

The researcher succeeded to upload their malicious XML code, using the API specifications the researchers crafted their own button containing fishy XML entities to conduct the XXE attack.

The researchers were able to access to the /etc/passwd and the /etc/hosts of one of the Google server used in production and provided the images to prove the impact of their attack.

 “The root cause of XXE vulnerabilities is naive XML parsers that blindly interpret the DTD of the user supplied XML documents. By doing so, you risk having your parser doing a bunch of nasty things. Some issues include: local file access, SSRF and remote file includes, Denial of Service and possible remote code execution. If you want to know how to patch these issues, check out the OWASP page on how to secure XML parsers in various languages and platforms,” the researchers wrote onblog post.

An attacker exploiting the vulnerability discovered by the researchers could have access any other file on any Google server, or worse could gain access to internal systems through the SSRF exploitation.

There is also a happy ending, after contacted Google the researchers were rewarded with $10,000 bounty for identifying an XML External Entity (XXE) vulnerability in one of the search engine’s features.

Pierluigi Paganini

(Security Affairs –  Google server, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

TP-Link Archer C5400X gaming router is affected by a critical flaw

Researchers warn of a critical remote code execution vulnerability in TP-Link Archer C5400X gaming router.…

21 mins ago

Sav-Rx data breach impacted over 2.8 million individuals

Prescription service firm Sav-Rx disclosed a data breach that potentially impacted over 2.8 million people…

10 hours ago

The Impact of Remote Work and Cloud Migrations on Security Perimeters

Organizations had to re-examine the traditional business perimeter and migrate to cloud-based tools to support…

18 hours ago

New ATM Malware family emerged in the threat landscape

Experts warn of a new ATM malware family that is advertised in the cybercrime underground,…

19 hours ago

A high-severity vulnerability affects Cisco Firepower Management Center

Cisco addressed a SQL injection vulnerability in the web-based management interface of the Firepower Management…

24 hours ago

CERT-UA warns of malware campaign conducted by threat actor UAC-0006

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat…

2 days ago

This website uses cookies.