Journey through Google referer leakage bugs.


Hello Hunters,
Here is a write-up about a simple bug which leaks sensitive tokens present in URL through referer header. In Google I have found this particular issue in several endpoints. Lets look into it.

The journey of this bug started when I read a write-up of a XSS in Google. You can get read it here. It was after my regular school hour I decided to just surf through  (Got this endpoint from that write-up) I didn’t expect to find any bugs as many top researchers were behind Google Colab for past 2 weeks. Without any hope I was clicking on each options to learn the website’s behavior. After some time I found an option to import projects from Github. This smelled something fishy to me. So I decided to test it for SSRF (Server Side Request Forgery). For that I was going through the  HTTP-History in Burp Suite. As usual expected thing never happen with Google. Then the referrer header in the request header caught my attention. The actual URL of my project file was visible in the request to Github. It would be a normal behavior if Google didn’t have anything sensitive in the URL. But in my case it was an exception.

Google have a feature to share documents through shareable links. That is, you can generate a unique link for your documents and share it. The person with that link will have access to your documents. Its moreover similar to Youtube’s unlisted video feature.

Google Colab was also having the same feature.

Screenshot from 2018-12-31 19-49-48


Lets Get back to the bug. The request was looking like this:

Screenshot from 2018-12-31 19-53-24

Did you notice? The referer header is having our secret token and the host is So the person having access to github log can see all shareable link made in Google Colab. I was awarded $3133.7 for this bug. I guess amount was huge because the default working of the Google Colab will leak the URL without any attacker’s intervention.

I guessed there must be similar bugs in some other Google products. As Google had same sharing feature in several other sites. So I decided to try this issue in some other endpoints. How can anyone miss Youtube when thinking about shareable URL (Unlisted videos). So I decided to give a try on Youtube. I just tried to comment a link on a youtube video and then click on it. But there is something called Youtube redirector 😦 It will initially redirect the our URL to another URL which looks like: Due to this the referer header will always have the value as : “”. So I decided to get back and watch some CTF videos. In my Youtube home page I noticed something called Youtube Gaming. When I clicked on it, I got redirected to another subdomain called As it is another subdomain I decided to give a try for the same bug here
1, So I opened a random video.
2, I was lazy to open Burp. So I pasted the link: (This site displays the value of your referer header).

3, Then clicked on it. Surprisingly it also leaked the referer ID without any redirection in between.

With this I can leak unlisted Gaming video’s URL. Yipee!!
For this I was awarded $500 from Google VRP.

Bug 3
After finding this issue again I was looking for similar endpoints like a wild beast,testing all Google subdomains.Finally I found something called Google Fusion Tables ( There too you can share the document with shareable link.
It had an option to insert a link in the description. I inserted there and clicked it. Guess what?  it worked again. 😉 I was welcomed with the shareable link tothe document.Bingo! Again I was awarded $500 for this bug.

Bug 4
Remember leaking unlisted Youtube video link through referer header (bug 2)? One week later it was fixed and was verified from both end. After a month later I was going through Google News and found a news that there is a major update in Youtube Gaming. So I visted . Then I found a lot of changes in it, Including logo :/ So I decided to test it again. As there are more chance to revert back security update in new development update. So I tested it again and I my instinct wasn’t wrong. The fix was reverted and the bug was present in the same endpoint again. Reported the same issue and was awarded $500 again.

Thanks for Google Security Team for managing such an amazing VRP and huge rewards.

Wait no info-sec writeup is complete without a gif. Here is one



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: