Here is a write-up about a simple bug which leaks sensitive tokens present in URL through referer header. In Google I have found this particular issue in several endpoints. Lets look into it.
The journey of this bug started when I read a write-up of a XSS in Google. You can get read it here. It was after my regular school hour I decided to just surf through https://colab.research.google.com (Got this endpoint from that write-up) I didn’t expect to find any bugs as many top researchers were behind Google Colab for past 2 weeks. Without any hope I was clicking on each options to learn the website’s behavior. After some time I found an option to import projects from Github. This smelled something fishy to me. So I decided to test it for SSRF (Server Side Request Forgery). For that I was going through the HTTP-History in Burp Suite. As usual expected thing never happen with Google. Then the referrer header in the request header caught my attention. The actual URL of my project file was visible in the request to Github. It would be a normal behavior if Google didn’t have anything sensitive in the URL. But in my case it was an exception.
Google have a feature to share documents through shareable links. That is, you can generate a unique link for your documents and share it. The person with that link will have access to your documents. Its moreover similar to Youtube’s unlisted video feature.
Google Colab was also having the same feature.
Lets Get back to the bug. The request was looking like this:
Did you notice? The referer header is having our secret token and the host is api.github.com. So the person having access to github log can see all shareable link made in Google Colab. I was awarded $3133.7 for this bug. I guess amount was huge because the default working of the Google Colab will leak the URL without any attacker’s intervention.
I guessed there must be similar bugs in some other Google products. As Google had same sharing feature in several other sites. So I decided to try this issue in some other endpoints. How can anyone miss Youtube when thinking about shareable URL (Unlisted videos). So I decided to give a try on Youtube. I just tried to comment a link on a youtube video and then click on it. But there is something called Youtube redirector 😦 It will initially redirect the our URL to another URL which looks like: https://www.youtube.com/redirect?q=http%3A%2F%2Fevil.com. Due to this the referer header will always have the value as : “https://www.youtube.com/redirect”. So I decided to get back and watch some CTF videos. In my Youtube home page I noticed something called Youtube Gaming. When I clicked on it, I got redirected to another subdomain called https://gaming.youtube.com. As it is another subdomain I decided to give a try for the same bug here
1, So I opened a random video.
2, I was lazy to open Burp. So I pasted the link: https://whatismyreferer.com (This site displays the value of your referer header).
3, Then clicked on it. Surprisingly it also leaked the referer ID without any redirection in between.
With this I can leak unlisted Gaming video’s URL. Yipee!!
For this I was awarded $500 from Google VRP.
After finding this issue again I was looking for similar endpoints like a wild beast,testing all Google subdomains.Finally I found something called Google Fusion Tables (https://fusiontables.google.com). There too you can share the document with shareable link.
It had an option to insert a link in the description. I inserted https://whatismyreferer.com there and clicked it. Guess what? it worked again. 😉 I was welcomed with the shareable link tothe document.Bingo! Again I was awarded $500 for this bug.
Remember leaking unlisted Youtube video link through referer header (bug 2)? One week later it was fixed and was verified from both end. After a month later I was going through Google News and found a news that there is a major update in Youtube Gaming. So I visted https://gaming.youtube.com . Then I found a lot of changes in it, Including logo So I decided to test it again. As there are more chance to revert back security update in new development update. So I tested it again and I my instinct wasn’t wrong. The fix was reverted and the bug was present in the same endpoint again. Reported the same issue and was awarded $500 again.
Thanks for Google Security Team for managing such an amazing VRP and huge rewards.
Wait no info-sec writeup is complete without a gif. Here is one