Sunday, September 10, 2017

URL Whitelist Bypass - Accounts Google (accounts.google.com) - VRP

After executing security tests against the changes behind the Google Two Factor Authentication, I came up with a serious situation.
In this particular request google allowed me to change the “next step” parameter, and I could insert any website I would like!
After reporting this issue, they told me that this was already reported internally, so It would not be valid for reward, but I got Hall of Fame anyway!

Details about the flaw:

Original link: https://accounts.google.com/signin/challenge/pwd/1?continue=https://mail.google.com/mail/&service=mail&hl=pt-PT&ss=1&scc=1&rm=false&osid=1&TL=AHnYQLyS15zLZZAZVOfOffY7nVH923l3UK6JSW9CP4YS7B4TRjiBSyJS38uns6KHZ6Z8z4Z8t-WGewKLoTVGUN8hMgYYXAHJwapRrNmZYIGaebn5_d23vO-KTOHFMZNBKUAPdiPZaKb2I2CFCXMLQ611QG6ThYSyjg==

This security flaw allowed any user to change the ?continue= parameter. In this case, the original link would redirect the users to https://mail.google.com/mail/ .

Malicious link: https://accounts.google.com/b/0/recovery/summary?hl=pt-PT&service=mail&continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe&eprsic=AMkw5H1N7WAjwEmj5az8PPrL-OcQC9xur_e_f8yx9kyWEsc_OftPTFMBR4LpdJgCOkVMm-_kaPv9h0dULCcwNkXpfe6BqHDIDREMvd2CXXUI2BknlyYPp8LaxKeEeCmJoyHSi11TBErdcJhtrO67pQO4zRgqnpOo0cTasr5MRxPod5A9_KMmnkKKjaGXwKp-LEMn5-DRSsFI0fIRKRNsbSwWnwGdkCOT9HDxbb263YHTnlw9CFAomS8&authuser=0

If I change the parameter to ?continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe, and send the malicious link to the internet, users would be redirected to malicous websites/files after clicking on the "continue" button.

Check out the video to know how a basic exploitation could be so dangerous!








Disclosure Timeline
January 26, 2017 at 00:00 (WET Time): Vulnerability Discovered
January 26, 2017 at 00:13 (WET Time): Initial Report
January 26, 2017 at 00:13 (WET Time): Auto response from Security bot
January 26, 2017 at 11:19 (WET Time): First response from Security Team
January 26, 2017 at 11:25 (WET Time): More details sent to Security Team
January 26, 2017 at 16:41 (WET Time): Response from Security Team having problems to reproduce the flaw
January 26, 2017 at 19:2 (WET Time): More Details and again, full explanation 
January 30, 2017 at 12:07 (WET Time): Response from Security Team having problems again with new details
January 30, 2017 at 12:52 (WET Time): Sent new details with youtube video explanation and Proof of Concept
January 31, 2017 at 14:06 (WET Time): Response from another Security Team Engineer saying he could reproduce the steps sent before and asked some more details
January 31, 2017 at 14:55 (WET Time): My last response
February 1, 2017 at 11:19 (WET Time): "Nice Catch! Email" 
February 3, 2017: Vulnerability Fixed
February 7, 2017 at 22:46 (WET Time): Bounty Rewarded.



Share:

5 comments:

  1. The best approach to go round that is by setting a price range and sticking to it. Whether successful or dropping while enjoying in} on your favourite website, you must to} by no means transcend what you had set to gamble. The on-line casino has become a really big deal in the trendy world. It additionally be} as a result of|as a result of} they maintain altering people’s lives in seconds. The sum that one can earn from working at an average job for a complete 클레오카지노 year, an internet gambler can make on the click on of a button with a really low deposit. If you go for the common bonus, the maximum you’ll in a position to|be succesful of|have the flexibility to} get is $3,000.

    ReplyDelete
  2. The vary of video games for slots players is unbelievable, and the opposite video games are fairly uncommon within the on-line on line casino world. No trouble if you want to|if you would like to} play using a mobile both, because the mobile web site is straightforward to use and offers simply as many thrilling video games. The Spin Live Casino makes a fantastic impression from the very start. Not only does it have nice 1xbet deal of} video games from Evolution Gaming, however it boasts additional options from Pragmatic Play and Ezugi.

    ReplyDelete
  3. The European area is foreseen to show a considerable degree of improvement in the expansion of the worldwide market owing to the presence of a robust consumer base. The fee methods are also highly safe and user-friendly. Gamers could make deposits and withdraw earnings without trouble. A key benefit is that blockchain-based playing platforms are fully decentralized and freed from third-party affect. Part of the problem comes from the fact that|the reality that} so many gamblers wrestle quietly and alone, making drawback playing look like less 카지노사이트 of a difficulty. Less than 1 % of individuals with a playing drawback seek assist, in accordance with Whyte.

    ReplyDelete
  4. If you win actual cash you can to|you possibly can} take it out or use it on some other recreation. At Free Daily Spins we take each precaution to ensure that you could enjoy your every day free games safely and securely. We are committed to accountable playing which 더킹카지노 is why we're a part of} the GamStop community.

    ReplyDelete
  5. The vendor will help a Player if do not seem to be|they aren't} in a position to position their wager. The guidelines 온라인카지노 and bets we described above were for standard American roulette present in most U.S. casinos. Single zero roulette is identical as American roulette, however as you may guess, has only one zero.

    ReplyDelete