CSRF bug to access private reports to Google VRP

Summary : Specified URL is vulnerable to CSRF. Request to this url contains XSRF token but not validated at the server end causing the private reports data to be accessed . This bug requires social engineering to get exploited.

CSRF Vulnerable URL : https://bughunter.withgoogle.com:443/api/reports

Prerequisites :

  1. Victim must be logged in to bughunter.withgoogle.com.
  2. Attacker needs to prepare a genuine looking web page to build trust on victim to drop a downloaded file.

Process:

  1. Attacker sends a URL to victim.
  2. Victim clicks the Download button which triggers HTTP request to the vulnerable URL which doesn’t require any authentication token. Confidential data file gets downloaded.
  3. Victim drops the downloaded file on same page and all the private reports data will be sent to remote server.

Video POC : 

(Visited 596 times, 1 visits today)

Leave A Comment

Your email address will not be published. Required fields are marked *