This is a bug I reported to Google via Google's Vulnerability Rewards Program on Jun 5, 2019.
Below is an intact reproduction of the report sent to Google (I formatted several parts so they are better looking here, I could only send plain text to Google, and I censored some parts):
Steps to reproduce:
- Open Google Chrome.
- Sign in with any Google Account which has access to the Community Console (the interesting part is if this is not a Googler's account but a Product Expert's account, because Googlers have permission to do this).
- Load the Community Console (https://support.google.com/s/community).
- Open the Javascript console (in Chrome's Developer Tools) and enter the following Javascript code (changing [forum_id] with an actual forum id where the user has permission to create a new thread, for instance [REDACTED], which is the Google Chrome Forum) to make a request (please note, this will create a thread in the [forum_id] forum):
fetch("https://support.google.com/s/community/api/CreateThread", {"credentials":"include","headers":{"content-type":"text/plain; charset=utf-8"},"body":'{"1":"[forum_id]","2":{"25":"1","4":"1","5":"1","9":"This is a title","13":"This is the body of the thread.","14":"en","21":2},"3":true,"5":1}',"method":"POST","mode":"cors"});
- Open the [forum_id] forum. You'll see that a new thread was created and it was marked as trending, is locked and is also pinned:
Just to clarify, in the request body, setting 2.25 = "1" enables the isTrending property (which marks the thread as trending), setting 2.4 = "1" enables the sticky property (which pins the thread), and setting 2.5 = "1" enables the closed property (which locks the thread).
In theory Product Experts don't have permission to pin, lock or mark threads as trending, because when trying to perform these actions on existing threads, even if they originally created those threads, the server returns an "Unauthorized" error.
Browser/OS: Chrome OS 74.0.3729.159
Attack scenario
A product expert (volunteer who answers questions in Google's official Forums) can exploit this vulnerability in order to create a pinned post (without the need of a Googler to approve this change). Therefore, this pinned post will appear featured in the community tab of a Google product Help Center (for instance https://support.google.com/chrome/community?hl=en) which will boost its visibility and maybe give it some credibility. As you can see, the attacker doesn't gain that much, because afterwards, when a Googler notices this they can unpin the thread (maybe it's a matter of hours the post was unpinned). However, I wanted to send you this bug report because a security check is probably missing, and the lack of this security check could have other consequences much more severe than this that I don't know now.