Pages - Menu

Sunday, September 10, 2017

URL Whitelist Bypass - Accounts Google ( - VRP

After executing security tests against the changes behind the Google Two Factor Authentication, I came up with a serious situation.
In this particular request google allowed me to change the “next step” parameter, and I could insert any website I would like!
After reporting this issue, they told me that this was already reported internally, so It would not be valid for reward, but I got Hall of Fame anyway!

Details about the flaw:

Original link:

This security flaw allowed any user to change the ?continue= parameter. In this case, the original link would redirect the users to .

Malicious link:

If I change the parameter to ?continue=, and send the malicious link to the internet, users would be redirected to malicous websites/files after clicking on the "continue" button.

Check out the video to know how a basic exploitation could be so dangerous!

Disclosure Timeline
January 26, 2017 at 00:00 (WET Time): Vulnerability Discovered
January 26, 2017 at 00:13 (WET Time): Initial Report
January 26, 2017 at 00:13 (WET Time): Auto response from Security bot
January 26, 2017 at 11:19 (WET Time): First response from Security Team
January 26, 2017 at 11:25 (WET Time): More details sent to Security Team
January 26, 2017 at 16:41 (WET Time): Response from Security Team having problems to reproduce the flaw
January 26, 2017 at 19:2 (WET Time): More Details and again, full explanation 
January 30, 2017 at 12:07 (WET Time): Response from Security Team having problems again with new details
January 30, 2017 at 12:52 (WET Time): Sent new details with youtube video explanation and Proof of Concept
January 31, 2017 at 14:06 (WET Time): Response from another Security Team Engineer saying he could reproduce the steps sent before and asked some more details
January 31, 2017 at 14:55 (WET Time): My last response
February 1, 2017 at 11:19 (WET Time): "Nice Catch! Email" 
February 3, 2017: Vulnerability Fixed
February 7, 2017 at 22:46 (WET Time): Bounty Rewarded.

No comments:

Post a Comment