Page MenuHomeVulnz

Product Experts can review off-topic requests or hide from the public any message in the Google Help Forums
DuplicatePublic

Description

This is a bug I reported to Google via Google's Vulnerability Rewards Program on Jun 5, 2019.

Below is an intact reproduction of the report sent to Google (I formatted several parts so they are better looking here, I could only send plain text to Google, and I censored some parts):

Steps to reproduce:

  1. Open Google Chrome
  2. Sign in with any Google Account which has access to the Community Console (the interesting part is if this is not a Googler's account but a Product Expert's account, because most probably Googlers have permission to do this in the forums in which they have the "Community Manager" role).
  3. Load the Community Console (https://support.google.com/s/community).
  4. Select a message (a reply to a thread) from any thread in any forum that you want to hide from public view (you'll need the message id (*message_id*), the id of the thread which contains the message (*thread_id*), and the id of the forum which contains the thread (*forum_id*); you can get these values by loading a thread in the Community Console, clicking the three dots icon next to a message, clicking "Get Link", and then selecting "Console link", you'll see a URL with the three values).
  5. Open the Javascript console (in Chrome's Developer Tools) and enter the following Javascript code (changing *forum_id*, *thread_id* and *message_id* with the actual values from step 3) to make a request to the Community Console API:
fetch("https://support.google.com/s/community/api/ReviewOffTopic", {"credentials":"include","headers":{"content-type":"text/plain; charset=utf-8"},"body":'{"1":"*forum_id*","2":"*thread_id*","5":["*message_id*"],"6":0}',"method":"POST","mode":"cors"});

You'll see that the message, even if it wasn't marked to be reviewed as off topic, is now hidden from public view (maybe Community Managers can still see it from the Community Console, but it disappears from the public thread in the Help Center, and from the Community Console if logged in as a Product Expert too).

Note that the function to review off-topic markings is reserved to Community Managers of a particular Forum, but these repro steps demonstrate that any user with access the Community Console can perform it nevertheless.

Browser/OS: Chrome OS 74.0.3729.159

Attack scenario

Any Product Expert with enough knowledge to figure out the API endpoints and how they work (like me, for example) can essentially hide any forum message from public view even if it's not theirs, so it would be like effectively deleting messages from other people. I don't know if there are records of who performs these actions, but it seems like this could be done without any Googler noticing, if the person exploiting this bug was a little bit careful (obviously doing this with all the messages in a Forum would make a Googler notice), because at least in the definitions of the internal data structures of the front-end code there isn't any field to contain the id of the user who reviews an off-topic request.

This is why this could be harmful.

Also, to explore more, I reckon that changing the value with key "6" of the response body may also change the status of the thread (as I can see in the front-end code, internally this property is called "threadVerdict"), because it is actually set to 0 (which corresponds to "OT_UNSPECIFIED") in the repro steps, but changing it to 1 (which corresponds to "OT_OFF_TOPIC") could maybe also hide the whole thread (I haven't tested it, but it is a possibility).


Half an hour later, I sent the following message:

Some modifications to what I already said:

In the repro steps, in step 1 (when signing in), I discovered it's NOT necessary to sign in with an account that has access to the Community Console. It can be any Google account, given that you can figure out the details which are retrieved in step 3 without signing in to the console (from the public view of the thread you can get the message ID and thread ID easily, but I haven't found a way to get the forum ID without accessing the Community Console).

This expands the scope of the attack scenario to any user with a Google Account who happens to know how the Community Console API works and the correspondence between Google Products and their forum ids.

Also, I would like to rectify this sentence in the repro steps: "it disappears [...] from the Community Console if logged in as a Product Expert too". It seems like it only disappears in the Community Console for the user who performed the request outlined in step 4, because when I tried to perform the repro steps with a test account I have which doesn't have access to the Community Console, it worked as I mentioned in the end of the repro steps, but when logging into the Community Console with my main account I still see the reply with an "Off-topic" message, as can be seen in the screenshot I've attached. However, from the public thread hosted in the Help Center the message is not visible anymore.

Details

Vendor
Google
Product
Community Console
Reported
Jun 5 2019, 1:58 PM
Deadline
90

Event Timeline

avm99963 created this task.Jun 5 2019, 11:17 PM
avm99963 triaged this task as Priority-1 priority.
avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".