G Suite - Device Management XSS

In G Suite business, you can manage other users devices. These devices include iOS, Android, Chrome and also networks like VPNs, WiFi, Ethernet. This specific issue was found in Chrome management.

Chrome management is particularly interesting. It is mostly used in Chrome books and is quite common among school districts in United States. Administrators can control different features of Chrome with this. For example: blocking developer console, URL whitelist, password management, bookmark sync.

All of these informations are then synced when user use chrome with the organization email. This can be done by going to Chrome settings and selecting: “Add profile”. Once the profile is added, all the information from the chrome settings is synced to that user’s chrome. One such information is Bookmarks.

Administrators can set bookmarks that can be synced throughout the organization. This does not require a super admin permission. A user with permission to manage services/application has full right to edit the chrome settings in G Suite. When the bookmark is added and synced it will show up in the remote chrome for any users that are syncing their account. So, initially I tried putting common urls and also attempted some XSS payloads. Most of these payloads were protected in the UI so for example if you put javascript:alert(document.domain) then it will ask you to re-enter the URL because it was not valid. Next, I added a valid url and saved that data. When the data was saved, a POST request was made. In the POST request, I changed url and added javascript:alert(document.domain) in the URL.

The request went through with no error and a bookmark was created. Next, this bookmark was synced throughout all the Chrome browsers where a user in my organization was logged in. Because the bookmark can be synced this presented a valid security risk. We all know that bookmarks are allowed to have javascript but when a G Suite organization can be attacked with a simple trick/issue, Google decided to put a fix. They made sure in Device management, a javascript payload can be inserted.