This is a bug I reported to Google via Google's Vulnerability Rewards Program on Sep 14, 2020.
Below is an intact reproduction of the report sent to Google (I formatted several parts so they are better looking here, I could only send plain text to Google, and I censored some parts):
Reproduction steps
- Open Google Chrome
- Go to Google, and sign in with a Google Account which has access to the Community Console (https://support.google.com/s/community) and is badged in at least one forum. By badged I mean that the user must have a special role in that forum (Product Expert, Googler, etc.) –this is a requirement because the avatar is only shown in forums where a user is badged–.
- Open the Community Console.
- In the Javascript console, run the following command (where __USER_ID__ is your user id):
fetch("https://support.google.com/s/community/api/UpdateGlobalUserInfo", {
"headers": {
"content-type": "text/plain; charset=utf-8",
},
"body": JSON.stringify({1: '__USER_ID__', 2: {2: {2: 'https://avm99963.com/images/avatarfull.jpg'}}}),
"method": "POST",
"mode": "cors",
"credentials": "include"
});In order to obtain your user id, you can do the following: in the Community Console's source code, search for the data-startup attribute in the html tag; the user id is the value of the 1.1.1 element of that JSON string.
- Create a thread (if not done already) in the forum where you're badged. For instance, if you're badged in the Chrome Forum, create a thread by filling in the form at https://support.google.com/chrome/thread/new.
- Open an incognito mode window and go to the recently created thread. Observe that your user avatar shown above your message points directly to https://avm99963.com/images/avatarfull.jpg. In the network tab of the Chrome Developer Tools it can be seen that the Referer header is being included in the request.
A non-exhaustive list of places where the avatar is inserted is the following: public thread pages (https://support.google.com/{product}/thread/{thread_id}), the community overview page (https://support.google.com/{product}/community/about), the public profile page (https://support.google.com/{product}/profile/{user_id}), and the thread and profile pages in the Community Console.
Browser/OS: Chrome OS 85.0.4183.108
Attack scenario
Any user badged in the forums, in particular "Product Experts" (active posters in the Google forums badged by Google) can set a custom avatar URL by following the reproduction steps explained above. The avatarUrl field is normally automatically set by the standard procedure to upload a new avatar image (it is of the form https://storage.googleapis.com/support-forums-api/avatar/profile-{X}-{Y}.{EXT}), but this procedure replaces that URL with an arbitrary URL.
By doing this, the image is injected in all places where the avatar is shown, pointing to the custom URL. When any user visits these pages, a request is sent to that endpoint, which enables the server to collect IP addresses and the URL of the page where the avatar was loaded via the Referer header.
I've reported this because although I don't know whether this is considered a security or a privacy issue or whether it is inside the scope of the VRP, teams across Google have consistently served external images through a web proxy (for instance https://ci4.googleusercontent.com/proxy[...]) instead of pointing to them directly, in order to anonymize those requests. Products that behave this way include Google Groups and Gmail. Also, the Community Console/Tailwind (the Google Forums platform) has a filter to reject images inserted into messages which point to external URLs (only some Google domains are whitelisted for img tags).