Page MenuHomeVulnz

Product Experts can create threads with the properties "closed", "sticky" or "isTrending"
VerifiedPublic

Description

This is a bug I reported to Google via Google's Vulnerability Rewards Program on Jun 5, 2019.

Below is an intact reproduction of the report sent to Google (I formatted several parts so they are better looking here, I could only send plain text to Google, and I censored some parts):

Steps to reproduce:

  1. Open Google Chrome.
  2. Sign in with any Google Account which has access to the Community Console (the interesting part is if this is not a Googler's account but a Product Expert's account, because Googlers have permission to do this).
  3. Load the Community Console (https://support.google.com/s/community).
  4. Open the Javascript console (in Chrome's Developer Tools) and enter the following Javascript code (changing [forum_id] with an actual forum id where the user has permission to create a new thread, for instance [REDACTED], which is the Google Chrome Forum) to make a request (please note, this will create a thread in the [forum_id] forum):
fetch("https://support.google.com/s/community/api/CreateThread", {"credentials":"include","headers":{"content-type":"text/plain; charset=utf-8"},"body":'{"1":"[forum_id]","2":{"25":"1","4":"1","5":"1","9":"This is a title","13":"This is the body of the thread.","14":"en","21":2},"3":true,"5":1}',"method":"POST","mode":"cors"});
  1. Open the [forum_id] forum. You'll see that a new thread was created and it was marked as trending, is locked and is also pinned:

Just to clarify, in the request body, setting 2.25 = "1" enables the isTrending property (which marks the thread as trending), setting 2.4 = "1" enables the sticky property (which pins the thread), and setting 2.5 = "1" enables the closed property (which locks the thread).

In theory Product Experts don't have permission to pin, lock or mark threads as trending, because when trying to perform these actions on existing threads, even if they originally created those threads, the server returns an "Unauthorized" error.

Browser/OS: Chrome OS 74.0.3729.159

Attack scenario

A product expert (volunteer who answers questions in Google's official Forums) can exploit this vulnerability in order to create a pinned post (without the need of a Googler to approve this change). Therefore, this pinned post will appear featured in the community tab of a Google product Help Center (for instance https://support.google.com/chrome/community?hl=en) which will boost its visibility and maybe give it some credibility. As you can see, the attacker doesn't gain that much, because afterwards, when a Googler notices this they can unpin the thread (maybe it's a matter of hours the post was unpinned). However, I wanted to send you this bug report because a security check is probably missing, and the lack of this security check could have other consequences much more severe than this that I don't know now.

Details

Vendor
Google
Product
Community Console
Reported
Jun 5 2019, 12:27 AM
Deadline
90
Reward
500

Event Timeline

avm99963 created this task.Jun 5 2019, 10:26 PM
avm99963 closed this task as Verified.Fri, Aug 23, 4:23 AM

T13 and T14 were considered the same bug by Google in their own issue tracker, so I marked T14 as a duplicate of T13 in my issue tracker.

On June 18, 2019 18:20 Google told me I was awarded $500.00 because of both reports, and on Jul 6, 2019 00:23 Google told me that the bugs were fixed (and I confimed it too). I asked for permission to post the vulnerability details later and they granted it to me, so I'll proceed to publish both reports.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Fri, Aug 23, 4:23 AM
avm99963 set Reward to 500.