This write-up is a walk-through to the misconfiguration which leaks sensitive URL through referer header.This affected various Google products and has been fixed now.
Generally, Google have a feature to share documents through “shareable links“. Which means you can generate an unique link for your project or document and share it. The person with that link will have access (view or modify) to your documents .
Leaking Shareable Link – Google Colab (Bug 1)
Scrolling through the infosec- Twitter, I got stopped by an interesting write-up (XSS in Google Colab). After reading this, I decided to test Google Colab . After an hour of poking around to learn the site’s behavior, I discovered the feature to import project from Github. As these kinds of feature are prone to SSRF, I decide to test for it. But no luck 😦
To look at the API queries and request, I switched to “HTTP-History” tab in Burp Suite.As unexpected things happen, I found my Google Colab link with unique ID got reflected in referer header of Github API’s call to import project.
This means Github would be able to see all the unique ID of all Google Colab users who used their import feature. This is perfectly normal in most applications,as just by knowing the unique ID without any authentication you won’t be able to make any harm. But this was an exception. Google Colab have the first mentioned feature to share projects via sharable link. So with this link leaked to Github, they can access the projects or documents of people who enabled share via link feature.
The person having access to Github log can see all shareable link of Google Colab.
(I guess the reward was high because the normal flow of the website was itself vulnerable without any malicious interaction)
I guessed there must be similar bugs in some other Google products. As Google had same sharing feature in several other sites. So I decided to try this issue in some other endpoints. How can anyone miss Youtube when thinking about shareable URL (Unlisted videos). So I decided to give a try on Youtube. I just tried to comment a link on a youtube video and then click on it. But there is something called Youtube redirector 😦 It will initially redirect the our URL to another URL which looks like: https://www.youtube.com/redirect?q=http%3A%2F%2Fevil.com. Due to this the referer header will always have the value as : “https://www.youtube.com/redirect”. So I decided to get back and watch some CTF videos. In my Youtube home page I noticed something called Youtube Gaming. When I clicked on it, I got redirected to another subdomain called https://gaming.youtube.com. As it is another subdomain I decided to give a try for the same bug here
1, So I opened a random video.
2, I was lazy to open Burp. So I pasted the link: https://whatismyreferer.com (This site displays the value of your referer header).
3, Then clicked on it. Surprisingly it also leaked the referer ID without any redirection in between.
With this I can leak unlisted Gaming video’s URL. Yipee!!
For this I was awarded $500 from Google VRP.
After finding this issue again I was looking for similar endpoints like a wild beast,testing all Google subdomains.Finally I found something called Google Fusion Tables (https://fusiontables.google.com). There too you can share the document with shareable link.
It had an option to insert a link in the description. I inserted https://whatismyreferer.com there and clicked it. Guess what? it worked again. 😉 I was welcomed with the shareable link tothe document.Bingo! Again I was awarded $500 for this bug.
Remember leaking unlisted Youtube video link through referer header (bug 2)? One week later it was fixed and was verified from both end. After a month later I was going through Google News and found a news that there is a major update in Youtube Gaming. So I visted https://gaming.youtube.com . Then I found a lot of changes in it, Including logo So I decided to test it again. As there are more chance to revert back security update in new development update. So I tested it again and I my instinct wasn’t wrong. The fix was reverted and the bug was present in the same endpoint again. Reported the same issue and was awarded $500 again.
Thanks for Google Security Team for managing such an amazing VRP and huge rewards.
Wait no info-sec writeup is complete without a gif. Here is one