CSRF bug to access private reports to Google VRP

in Google on Share

Summary : Specified URL is vulnerable to CSRF. Request to this url contains XSRF token but not validated at the server end causing the private reports data to be accessed . This bug requires social engineering to get exploited.

CSRF Vulnerable URL : https://bughunter.withgoogle.com:443/api/reports

Prerequisites :

  1. Victim must be logged in to bughunter.withgoogle.com.
  2. Attacker needs to prepare a genuine looking web page to build trust on victim to drop a downloaded file.

Process:

  1. Attacker sends a URL to victim.
  2. Victim clicks the Download button which triggers HTTP request to the vulnerable URL which doesn’t require any authentication token. Confidential data file gets downloaded.
  3. Victim drops the downloaded file on same page and all the private reports data will be sent to remote server.

Video POC : 

(Visited 1,178 times, 1 visits today)

You May Also Like

on

Thank You Google VRP

on

Exploiting Clickjacking Vulnerability | Google

on

Exploiting the end user | XSS via svg files

Leave A Comment

Your email address will not be published. Required fields are marked *