Page MenuHomeVulnz
Create Task
Maniphest T21

IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console
VerifiedPublic
Actions

Description

This is a bug I reported to Google.

Below is an intact reproduction of the report sent to Google (I censored some parts):

Abstract

A variant of T12 occurs now in another API method. This API method is relatively new (I didn't find any mention of it in the Javascript code some months ago).

To summarize: the https://support.google.com/s/community/api/SuggestDuplicateThreads endpoint allows a user to retrieve, given that you provide a thread id and its forum id, a list of suggested threads related to the one provided. When making a POST request to that endpoint passing an appropriate JSON string as the body and authenticating as any user registered in the Google forums/communities via cookies, in case the response includes any suggested thread, each thread returned includes the IP address and country code of the corresponding author.

Reproduction steps

  1. Sign in with a Google Account in Chrome
  2. Open https://support.google.com/chrome/thread/17542816?hl=en and click the Upvote button (this action will automatically create a Forum/community user for the Google Account, which is needed for the API endpoint to work; otherwise it returns {"2":16,"4":"User not found"})
  3. Open the Developer Tools, go to the Network tab, and reload the page. Take note of the cookies header sent with the document request to the server (the main request).
  4. Now open a terminal and run the following command, where Cookie: abcxyz has to be substituted with the cookies header we grabbed at the previous step:
curl 'https://support.google.com/s/community/api/SuggestDuplicateThreads' -H 'Cookie: abcxyz' --data-binary '{"1":"[REDACTED]","2":"[REDACTED]"}' --compressed
  1. In the JSON response, you'll see various IPv4 and IPv6 addresses.

Attack scenario

The same as T12, except that in the original issue you could directly request information about a thread and the information returned would include the IP address of the author (which means that you could target a thread easily). However, in this case the list returned by the endpoint is not strictly deterministic, and so it could be more difficult to get the IP address of the author of a specific thread. Therefore, I think it's not as critical, but that doesn't mean it's not critical at all, because if you wanted to target a specific thread, you could try passing related threads as the input of the endpoint, and you could eventually encounter the target thread in the list returned probably without much effort, even doing it manually.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Details

Vendor
Google
Product
Community Console
Reported
Jan 19 2020, 2:47 AM

Related Objects
Search...

Event Timeline

avm99963 triaged this task as Priority-1 priority.Jan 19 2020, 5:43 PM
avm99963 created this task.
avm99963 added a subtask: T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.
avm99963 changed the status of subtask T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console from Fixed to Verified.
Douglasbot changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Apr 19 2020, 5:13 AM

The deadline has been exceeded -- automatically publishing vulnerability report.

avm99963 changed the visibility from "Public (No Login Required)" to "Restricted Project (Project)".Apr 19 2020, 5:14 AM
avm99963 removed Deadline.
avm99963 closed this task as Verified.Jul 20 2020, 11:26 PM

On Feb 14 2020, 8:47 PM, Google told me they fixed the issue and I could also verify the issue was fixed. Therefore, I'm marking this report as Verified and disclosing it to the public.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Jul 20 2020, 11:26 PM