After executing security tests against the changes behind the Google Two Factor Authentication, I came up with a serious situation.
In this particular request google allowed me to change the “next step” parameter, and I could insert any website I would like!
After reporting this issue, they told me that this was already reported internally, so It would not be valid for reward, but I got Hall of Fame anyway!
Details about the flaw:
Original link: https://accounts.google.com/signin/challenge/pwd/1?continue=https://mail.google.com/mail/&service=mail&hl=pt-PT&ss=1&scc=1&rm=false&osid=1&TL=AHnYQLyS15zLZZAZVOfOffY7nVH923l3UK6JSW9CP4YS7B4TRjiBSyJS38uns6KHZ6Z8z4Z8t-WGewKLoTVGUN8hMgYYXAHJwapRrNmZYIGaebn5_d23vO-KTOHFMZNBKUAPdiPZaKb2I2CFCXMLQ611QG6ThYSyjg==
This security flaw allowed any user to change the ?continue= parameter. In this case, the original link would redirect the users to https://mail.google.com/mail/ .
Malicious link: https://accounts.google.com/b/0/recovery/summary?hl=pt-PT&service=mail&continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe&eprsic=AMkw5H1N7WAjwEmj5az8PPrL-OcQC9xur_e_f8yx9kyWEsc_OftPTFMBR4LpdJgCOkVMm-_kaPv9h0dULCcwNkXpfe6BqHDIDREMvd2CXXUI2BknlyYPp8LaxKeEeCmJoyHSi11TBErdcJhtrO67pQO4zRgqnpOo0cTasr5MRxPod5A9_KMmnkKKjaGXwKp-LEMn5-DRSsFI0fIRKRNsbSwWnwGdkCOT9HDxbb263YHTnlw9CFAomS8&authuser=0
If I change the parameter to ?continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe, and send the malicious link to the internet, users would be redirected to malicous websites/files after clicking on the "continue" button.
Check out the video to know how a basic exploitation could be so dangerous!
Disclosure Timeline
January 26, 2017 at 00:00 (WET Time): Vulnerability Discovered
January 26, 2017 at 00:13 (WET Time): Initial Report
January 26, 2017 at 00:13 (WET Time): Auto response from Security bot
January 26, 2017 at 11:19 (WET Time): First response from Security Team
January 26, 2017 at 11:25 (WET Time): More details sent to Security Team
January 26, 2017 at 16:41 (WET Time): Response from Security Team having problems to reproduce the flaw
January 26, 2017 at 19:2 (WET Time): More Details and again, full explanation
January 30, 2017 at 12:07 (WET Time): Response from Security Team having problems again with new details
January 30, 2017 at 12:52 (WET Time): Sent new details with youtube video explanation and Proof of Concept
January 31, 2017 at 14:06 (WET Time): Response from another Security Team Engineer saying he could reproduce the steps sent before and asked some more details
January 31, 2017 at 14:55 (WET Time): My last response
February 1, 2017 at 11:19 (WET Time): "Nice Catch! Email"
February 3, 2017: Vulnerability Fixed
February 7, 2017 at 22:46 (WET Time): Bounty Rewarded.
New Hall of Fame link: https://bughunter.withgoogle.com/characterlist