I reported this problem to Google in June but I did not get the usual reply saying they were working on it, so I guess it isn't serious enough to be fixed. The problem is the page for requesting access to a private document. It does not have any protection against being framed, so you can make a private document, trick someone into clicking the button to request access and get an email from Google Docs with their full name and email address. PoC: http://buildism.net/files/GoogleDocsClickjacking2.html

This only works if you are logged in to Google. In an actual exploit, the Google Docs frame would be completely transparent. Do not click the button unless you like sending your personal information to strangers on the internet.

You must agree to our terms of service to use our website.
Agree