Summary : Specified URL is vulnerable to CSRF. Request to this url contains XSRF token but not validated at the server end causing the private reports data to be accessed . This bug requires social engineering to get exploited.
CSRF Vulnerable URL : https://bughunter.withgoogle.com:443/api/reports
- Victim must be logged in to bughunter.withgoogle.com.
- Attacker needs to prepare a genuine looking web page to build trust on victim to drop a downloaded file.
- Attacker sends a URL to victim.
- Victim clicks the Download button which triggers HTTP request to the vulnerable URL which doesn’t require any authentication token. Confidential data file gets downloaded.
- Victim drops the downloaded file on same page and all the private reports data will be sent to remote server.
Video POC :