Journey through Google referer leakage bugs.

google-bug-bounty-program

Hello Hunters,
Here is a write-up about a simple bug which leaks sensitive tokens present in URL through referer header. In Google I have found this particular issue in several endpoints. Lets look into it.

BUG 1
The journey of this bug started when I read a write-up of a XSS in Google. You can get read it here. It was after my regular school hour I decided to just surf through https://colab.research.google.com  (Got this endpoint from that write-up) I didn’t expect to find any bugs as many top researchers were behind Google Colab for past 2 weeks. Without any hope I was clicking on each options to learn the website’s behavior. After some time I found an option to import projects from Github. This smelled something fishy to me. So I decided to test it for SSRF (Server Side Request Forgery). For that I was going through the  HTTP-History in Burp Suite. As usual expected thing never happen with Google. Then the referrer header in the request header caught my attention. The actual URL of my project file was visible in the request to Github. It would be a normal behavior if Google didn’t have anything sensitive in the URL. But in my case it was an exception.

Google have a feature to share documents through shareable links. That is, you can generate a unique link for your documents and share it. The person with that link will have access to your documents. Its moreover similar to Youtube’s unlisted video feature.

Google Colab was also having the same feature.

Screenshot from 2018-12-31 19-49-48

 

Lets Get back to the bug. The request was looking like this:

Screenshot from 2018-12-31 19-53-24

Did you notice? The referer header is having our secret token and the host is api.github.com. So the person having access to github log can see all shareable link made in Google Colab. I was awarded $3133.7 for this bug. I guess amount was huge because the default working of the Google Colab will leak the URL without any attacker’s intervention.

BUG 2
I guessed there must be similar bugs in some other Google products. As Google had same sharing feature in several other sites. So I decided to try this issue in some other endpoints. How can anyone miss Youtube when thinking about shareable URL (Unlisted videos). So I decided to give a try on Youtube. I just tried to comment a link on a youtube video and then click on it. But there is something called Youtube redirector 😦 It will initially redirect the our URL to another URL which looks like: https://www.youtube.com/redirect?q=http%3A%2F%2Fevil.com. Due to this the referer header will always have the value as : “https://www.youtube.com/redirect”. So I decided to get back and watch some CTF videos. In my Youtube home page I noticed something called Youtube Gaming. When I clicked on it, I got redirected to another subdomain called https://gaming.youtube.com. As it is another subdomain I decided to give a try for the same bug here
1, So I opened a random video.
2, I was lazy to open Burp. So I pasted the link: https://whatismyreferer.com (This site displays the value of your referer header).

3, Then clicked on it. Surprisingly it also leaked the referer ID without any redirection in between.

With this I can leak unlisted Gaming video’s URL. Yipee!!
For this I was awarded $500 from Google VRP.

Bug 3
After finding this issue again I was looking for similar endpoints like a wild beast,testing all Google subdomains.Finally I found something called Google Fusion Tables (https://fusiontables.google.com). There too you can share the document with shareable link.
It had an option to insert a link in the description. I inserted https://whatismyreferer.com there and clicked it. Guess what?  it worked again. 😉 I was welcomed with the shareable link tothe document.Bingo! Again I was awarded $500 for this bug.

Bug 4
Remember leaking unlisted Youtube video link through referer header (bug 2)? One week later it was fixed and was verified from both end. After a month later I was going through Google News and found a news that there is a major update in Youtube Gaming. So I visted https://gaming.youtube.com . Then I found a lot of changes in it, Including logo :/ So I decided to test it again. As there are more chance to revert back security update in new development update. So I tested it again and I my instinct wasn’t wrong. The fix was reverted and the bug was present in the same endpoint again. Reported the same issue and was awarded $500 again.

Thanks for Google Security Team for managing such an amazing VRP and huge rewards.

Wait no info-sec writeup is complete without a gif. Here is one

af00faaf5ae314fc805c7154ec4677b6.gif

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: