Gmail Misconfiguration leading to account takeover – Bug Bounty POC
Hi Bug Bounty PoC Viewers, My name is Abdul Ghaffar AKA GUJJAR PCP, You will be wondering what the heck i am doing here 😛 Well i will be sharing my first find which i found in google and also its my first write up on this amazing and trending blog.I know half of you people have seen my PoC videos but a write is an whole different way of defining the issue.
So i decided to start with google to hunt bugs, as i was going through the password reset mechanism of google accounts as you all know when we put our email in forgot password it asks us to confirm by email or phone number but for ease of use for users incase the users have not access to email nor phone, there was an option to confirm which caught my attention,So it was an option which requires two things from the user to verify :
– Last login Date
– Account Creation Date
I started digging into it with the help of an test account so after some times i found out that the last login Date was missing an verification check at the their backend servers which means it can be anything it was an like an Dummy. So Next Part was really easy because there was no rate limiting on this. So What i did was put an random date and year at last login as i mentioned above it can be anything, so as an matter of fact the account creation date can be guessed easily because most of the accounts created by you guys were made during 2005-2016 so due to no rate limiting on that so i tried some possiblites and i was able to reset the password of my account. So i Guess that was the end of the Part 1 of my write up lets move what the google security team replied.
So after i reported this to google security team they replied with an really disappointing excuse and they fixed the issue slightly, they said that it can be exploited only on that computer on which the victim account was once logged in means they said it is only exploitable locally they also provided me with an test account to take over it but the shocking thing was
that after they slightly fixed with implementing the check of the cookies i was not even able to take over the account i did in the testing. You guys will be wondering that i am just making lame excuses about it but i have got that part covered 🙂
I made 3 videos :
– PoC of the bug
– Additional info
– After slightly patching the bug
Gmail Misconfiguration leading to account takeover Video POC :
Read Also : Reflected XSS in Google Sandbox Domain