Pages - Menu

Sunday, September 10, 2017

URL Whitelist Bypass - Accounts Google ( - VRP

After executing security tests against the changes behind the Google Two Factor Authentication, I came up with a serious situation.
In this particular request google allowed me to change the “next step” parameter, and I could insert any website I would like!
After reporting this issue, they told me that this was already reported internally, so It would not be valid for reward, but I got Hall of Fame anyway!

Details about the flaw:

Original link:

This security flaw allowed any user to change the ?continue= parameter. In this case, the original link would redirect the users to .

Malicious link:

If I change the parameter to ?continue=, and send the malicious link to the internet, users would be redirected to malicous websites/files after clicking on the "continue" button.

Check out the video to know how a basic exploitation could be so dangerous!

Disclosure Timeline
January 26, 2017 at 00:00 (WET Time): Vulnerability Discovered
January 26, 2017 at 00:13 (WET Time): Initial Report
January 26, 2017 at 00:13 (WET Time): Auto response from Security bot
January 26, 2017 at 11:19 (WET Time): First response from Security Team
January 26, 2017 at 11:25 (WET Time): More details sent to Security Team
January 26, 2017 at 16:41 (WET Time): Response from Security Team having problems to reproduce the flaw
January 26, 2017 at 19:2 (WET Time): More Details and again, full explanation 
January 30, 2017 at 12:07 (WET Time): Response from Security Team having problems again with new details
January 30, 2017 at 12:52 (WET Time): Sent new details with youtube video explanation and Proof of Concept
January 31, 2017 at 14:06 (WET Time): Response from another Security Team Engineer saying he could reproduce the steps sent before and asked some more details
January 31, 2017 at 14:55 (WET Time): My last response
February 1, 2017 at 11:19 (WET Time): "Nice Catch! Email" 
February 3, 2017: Vulnerability Fixed
February 7, 2017 at 22:46 (WET Time): Bounty Rewarded.


  1. The best approach to go round that is by setting a price range and sticking to it. Whether successful or dropping while enjoying in} on your favourite website, you must to} by no means transcend what you had set to gamble. The on-line casino has become a really big deal in the trendy world. It additionally be} as a result of|as a result of} they maintain altering people’s lives in seconds. The sum that one can earn from working at an average job for a complete 클레오카지노 year, an internet gambler can make on the click on of a button with a really low deposit. If you go for the common bonus, the maximum you’ll in a position to|be succesful of|have the flexibility to} get is $3,000.

  2. The vary of video games for slots players is unbelievable, and the opposite video games are fairly uncommon within the on-line on line casino world. No trouble if you want to|if you would like to} play using a mobile both, because the mobile web site is straightforward to use and offers simply as many thrilling video games. The Spin Live Casino makes a fantastic impression from the very start. Not only does it have nice 1xbet deal of} video games from Evolution Gaming, however it boasts additional options from Pragmatic Play and Ezugi.