Here is a writeup about a simple bug which leaks sensitive tokens in URL through referer header.In Google I have found this particular bug in several endpoints.Lets see about it.
The journey of this bug started when I found a nice write-up of an Google XSS. Which is XSS in Google Colab. You can get read that write-up here. It was after my regular school hour I decided to just surf through https://colab.research.google.com I didn’t expect any bugs as many top researchers were behind Google Colab for past 2 weeks. Without any hope I was clicking on each options to learn the site behaviour. There was option to import projects from Github. This smelled something fishy to me. I decided to test for SSRF was going through the request header in Burp Suite. As usual expected thing never happen with Google. Then the referrer header caught my attention. The actual link of my project file was visible in Github’s referrer header. It would be normal behaviour if Google didn’t have any token in the link.But many of the Google product have a feature which allows user to share the document with unique shareable URL.
Here is a sample request:
GET /search/repositories?sort=updated&order=desc&q=user:name+fork:true HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
BUG 1Connection: close
Google Colab was one of it. So I reported this issue and was awarded $3133.7. Yes this bug seems not be valuable for that amount but I hope that amount were awarded because attacker don’t want to target a victim or attack him. Every Google users will be a victim of this attack in thei normal behaviour of the site itself.
I guessed there must be similar bugs in some other Google products too because Google had same feature in several other sites. So I decided to dig this issue in some other endpoints. How can anyone forget Youtube when thinking about token in URL(Unlisted videos). So I decided to give a try on Youtube. I just tried to comment a link on a youtube video and click on it. But there is something called Youtube redirector which will actually redirect to a link within Youtube and then redirects you to the site. The link looks like: https://www.youtube.com/redirect?q=http%3A%2F%2Fevil.com. So I decided to get back and watch some CTF videos. In my Youtube home page I noticed something called Youtube Gaming. When I clicked on it, I got redirected to another subdomain called https://gaming.youtube.com. As it is a subdomain I decided to give a try for the same bug here
1, Opened a random video.
2, I was lazy to open Burp. So I pasted the link: https://whatismyreferer.com
3, Then clicked on it. Unsurprisingly it leaked the referrer ID too.
For this I was awarded $500 from VRP
After finding this, again I was looking for similar endpoints like a wild beast,testing all Google subdomains.Finally I found something called Google Fusion Tables (https://fusiontables.google.com).
It had an option to insert a link. I inserted https://whatismyreferer.com there and clicked it.Guess what it worked again. 😉 I was welcomed with the link and secret token to the shareable document.Bingo again I was awarded $500 for this bug.
Remeber leaking unlisted video link through referer (bug 2)? One week later it was fixed and was verified from both end. One month later I was going through Google News and found a news that there is a major update in Youtube Gaming. So I visted https://gaming.youtube.com . Then I found a lot of changes in it, Including logo So I decided to test again.As there are more chance to revert back security update in new development update. I tested it again and I wasn’t wrong. The fix was reverted and the bug was present in the same endpoint again. Reported the same issue and was awarded $500 again.
Thanks for Google Security Team for managing such an amazing VRP and huge rewards.
Wait no info-sec writeup is complete without a gif. Here is one