Skip to main content

Google Docs $3133.7 Reward for data Leak.

Bug discovered on: 19th March 2017       Research time: 4:30 p.m to 7:00 p.m

Earn more by display ads on blog with Lithific Ads

The security flaw in this post is a combination of the first two Google Bugs which I posted on this blog. 4 months ago... I was actually trying to find the encrypted ID of the Google drive file where all the form responses are recorded and bypass "Limit to 1 response". In the end, I couldn't find the ID and ended up with the other.
The vulnerabilities are:
1.) Leaking of the ID of file in Google Drive containing the form responses.
2.) Obtaining the email-id of the user with just 2 clicks.
The vulnerabilities are tested on my test account.
Here's how I found out...


Want to get icons for app Development Here  it's 

The below image shows the Settings menu for a Google form.
After you complete filling the form and submit it. You will see few options (if the form creator allows)     like "Edit your response", "See the previous responses".
If the form creator allows users to view the responses given by others, after the submission of the forms he/she will see "See previous responses". 
 
Notice the URL.
After clicking on "See previous responses".  One can see the responses and the URL of this page is
https://docs.google.com/forms/d/e/[form-id]/viewanalytics 
If the form creator unchecked the "See summary charts and text responses" then, after submitting the form there would be no link for viewing responses.
URL of the above page is https://docs.google.com/forms/d/e/[form-id]/formresponses
I replaced the "formresponse" in the URL with "viewanlaytics".

The new URL is https://docs.google.com/forms/d/e/[form-id]/viewanalytics
I thought it will be showing the summary and responses but it didn’t. It was showing a page for requesting the owner of the form. 
 
When the Request access button is clicked an e-mail will be sent to the form owner for asking permission to view the form responses.
Later I came to know that the page was lacking x-frame options and could be embedded in any website, making it vulnerable to clickjacking.
The video below shows the demonstration of Clickjacking.
Through this, the hackers can get the email-id of any logged-in user with just 2 clicks.

Information Leak.

The form-id and the Google Drive's file id where all the responses of the form are recorded are totally different. 
For example 
If the Form ID is 1FAIpQLSflZTFP5mscYfOUou_wIW1AjhrnkZSxvIKXGoJJA 
Then Google Drive file ID is 1dnVfApWOE7dcrObNUX_-iPseu1zIkowcxfQ
The file ID is encrypted and hackers cannot guess it. However, in the viewanalytics page the id was leaking.
The intercepted request after clicking on Request access button was (The below is the HTTP Request that will be sent to the server from the browsers):

POST /sharing/commonshare HTTP/1.1
Host: docs.google.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://docs.google.com/forms/d/[form-id]/edit?no_redirect=true
Content-Type: application/x-www-form-urlencoded;charset=utf-8
X-Same-Domain: explorer
Content-Length: 135
Cookie: ------------
Connection: close

 requestType=requestAccess&itemIds=[Google Drive file-id]&foreignService=explorer&shareService=explorer&authuser=0

The itemIds parameter's value is the encrypted value of the File where all the form responses are stored.
The vulnerabilities are now fixed by redirecting the viewanalytics page to analytics-restricted. Here is the video for confirmation of fix.
March 19th 2017: Bug was reported.
March 24th 2017: I got a reply from Mr.Martin saying...
Hi, The clickjacking is not the issue here. Actually the leak of itemsid is a definitely a real issue. I've filed a bug based on your report. The panel will evaluate it at the next VRP panel meeting and we'll update you once we've got more information.
March 30th 2017: $ 3133.7 reward issued!
Earn more by display ads on blog with Lithific Ads

Comments

Post a Comment

Popular posts from this blog

Google form setting Bypass - Making my way to the Google's Hall of Fame !

  G o o g l e ! Bug : Circumventing "Limit to 1 response" of  Google forms  ( Parameter Injection )        Discovered on: 30th, November 2016.            Research Time: 2:00 p.m to 9:30 p.m. Earn more by display ads on blog with  Lithific Ads The setting is "Limit to 1 response" which means only one response per user. Once you filled the form there will be no chance to edit the responses or again fill a new form. If you open the form to fill again, the response would be like the image below. There is no way to edit or fill another form (Hurdle 1). I created a test form and checked "Edit after submit". Once this test form is filled I can change the previous response.  I clicked on the "Edit your  response"and intercepted the request.  I changed the form id and forwarded the request. I was able to see the form that was submitted. When I edited the form and submitted, a blank form was sent. (Hurdle 2). I analysed the requests f
1 comment
Read more

Facebook Bug Bounty $$$$ : Crossposting Live Videos | Facebook Live

In the Facebook Page Settings, you could setup the option for Crossposting Live videos from other pages.  The Attacker's page adds a Page (Victim's Page) for crossposting their videos Victim Page's Admin accepts the approval and the default option is Crossposting videos without further approval The Attacker starts live video and selects Victim's Page in the "Crosspost to more pages" Victim visits the Crossposting page in the Page settings and and removes Attacker's Page Attacker selects "Use camera" and clicks on "Go Live". The Victim's Page starts automatically crossposting the live video of Attacker,  Bug Bounty of $500
Post a Comment
Read more

Facebook Messenger bug. React to any message on behalf of a Facebook Page

Reacting to Facebook Messages  An Admin can interact with his Facebook Page through Facebok page's Inbox, there is no UI to react to the messages like HAHA, LOVE etc.  Reply to the messages . You must be knowing about the WhatsApp messenger's Reply feature where you can reply to a particular message. There is something for Facebook messenger too. You can reply to message by hovering over the message and there will be "Reply" option. Click on that.  Now type some random message and click on "Send" and intercept the request. You can find in the HTTP Request that there is a parameter "message_id" in the message body. Change to some other message_id that doesn't belong to chat that you currently opened. Now I sent the request. There was an error that was thrown saying .. "The content is longer available".  Now my next adventure to try to find a bug in the Messaging continues. If you have a conversation with your girlfriend you can alway
1 comment
Read more