After executing security tests against the changes behind the Google Two Factor Authentication, I came up with a serious situation.
In this particular request google allowed me to change the “next step” parameter, and I could insert any website I would like!
After reporting this issue, they told me that this was already reported internally, so It would not be valid for reward, but I got Hall of Fame anyway!
Details about the flaw:
Original link: https://accounts.google.com/signin/challenge/pwd/1?continue=https://mail.google.com/mail/&service=mail&hl=pt-PT&ss=1&scc=1&rm=false&osid=1&TL=AHnYQLyS15zLZZAZVOfOffY7nVH923l3UK6JSW9CP4YS7B4TRjiBSyJS38uns6KHZ6Z8z4Z8t-WGewKLoTVGUN8hMgYYXAHJwapRrNmZYIGaebn5_d23vO-KTOHFMZNBKUAPdiPZaKb2I2CFCXMLQ611QG6ThYSyjg==
This security flaw allowed any user to change the ?continue= parameter. In this case, the original link would redirect the users to https://mail.google.com/mail/ .
Malicious link: https://accounts.google.com/b/0/recovery/summary?hl=pt-PT&service=mail&continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe&eprsic=AMkw5H1N7WAjwEmj5az8PPrL-OcQC9xur_e_f8yx9kyWEsc_OftPTFMBR4LpdJgCOkVMm-_kaPv9h0dULCcwNkXpfe6BqHDIDREMvd2CXXUI2BknlyYPp8LaxKeEeCmJoyHSi11TBErdcJhtrO67pQO4zRgqnpOo0cTasr5MRxPod5A9_KMmnkKKjaGXwKp-LEMn5-DRSsFI0fIRKRNsbSwWnwGdkCOT9HDxbb263YHTnlw9CFAomS8&authuser=0
If I change the parameter to ?continue=http://web.tecnico.ulisboa.pt/~manuelvsousa/vrp/virus.exe, and send the malicious link to the internet, users would be redirected to malicous websites/files after clicking on the "continue" button.
Check out the video to know how a basic exploitation could be so dangerous!
Disclosure Timeline
January 26, 2017 at 00:00 (WET Time): Vulnerability Discovered
January 26, 2017 at 00:13 (WET Time): Initial Report
January 26, 2017 at 00:13 (WET Time): Auto response from Security bot
January 26, 2017 at 11:19 (WET Time): First response from Security Team
January 26, 2017 at 11:25 (WET Time): More details sent to Security Team
January 26, 2017 at 16:41 (WET Time): Response from Security Team having problems to reproduce the flaw
January 26, 2017 at 19:2 (WET Time): More Details and again, full explanation
January 30, 2017 at 12:07 (WET Time): Response from Security Team having problems again with new details
January 30, 2017 at 12:52 (WET Time): Sent new details with youtube video explanation and Proof of Concept
January 31, 2017 at 14:06 (WET Time): Response from another Security Team Engineer saying he could reproduce the steps sent before and asked some more details
January 31, 2017 at 14:55 (WET Time): My last response
February 1, 2017 at 11:19 (WET Time): "Nice Catch! Email"
February 3, 2017: Vulnerability Fixed
February 7, 2017 at 22:46 (WET Time): Bounty Rewarded.
New Hall of Fame link: https://bughunter.withgoogle.com/characterlist
The best approach to go round that is by setting a price range and sticking to it. Whether successful or dropping while enjoying in} on your favourite website, you must to} by no means transcend what you had set to gamble. The on-line casino has become a really big deal in the trendy world. It additionally be} as a result of|as a result of} they maintain altering people’s lives in seconds. The sum that one can earn from working at an average job for a complete 클레오카지노 year, an internet gambler can make on the click on of a button with a really low deposit. If you go for the common bonus, the maximum you’ll in a position to|be succesful of|have the flexibility to} get is $3,000.
ReplyDeleteThe vary of video games for slots players is unbelievable, and the opposite video games are fairly uncommon within the on-line on line casino world. No trouble if you want to|if you would like to} play using a mobile both, because the mobile web site is straightforward to use and offers simply as many thrilling video games. The Spin Live Casino makes a fantastic impression from the very start. Not only does it have nice 1xbet deal of} video games from Evolution Gaming, however it boasts additional options from Pragmatic Play and Ezugi.
ReplyDelete