Page MenuHomeVulnz
Feed All Stories

Oct 29 2022

avm99963 changed the visibility for T25: Subscriptions to saved filters trigger email notifications for unauthorized threads.
Oct 29 2022, 4:01 AM · Unknown Object (Project)
avm99963 closed T25: Subscriptions to saved filters trigger email notifications for unauthorized threads, a subtask of T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate, as Verified.
Oct 29 2022, 4:01 AM · Unknown Object (Project)
avm99963 closed T25: Subscriptions to saved filters trigger email notifications for unauthorized threads as Verified.

T25#429 is now fixed (Google notified me on Feb 19, 2022, and I could verify it now). Thus, publishing the whole report.

Oct 29 2022, 4:01 AM · Unknown Object (Project)

Jul 15 2022

avm99963 edited the content of Vulnerability Reports Lifecycle.
Jul 15 2022, 3:22 PM · Unknown Object (Project)

Oct 24 2021

avm99963 updated the task description for T25: Subscriptions to saved filters trigger email notifications for unauthorized threads.
Oct 24 2021, 6:48 PM · Unknown Object (Project)
avm99963 added a comment to T25: Subscriptions to saved filters trigger email notifications for unauthorized threads.

I just checked T25#429 hasn't been fixed yet, so I just sent a message in the Buganizer bug to state that.

Oct 24 2021, 6:48 PM · Unknown Object (Project)
avm99963 changed the visibility for T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate.
Oct 24 2021, 6:45 PM · Unknown Object (Project)
avm99963 changed the status of T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate from Fixed to Verified.

Google sent the automatic "Our systems show that all the bugs we created based on your report have been fixed by the product team" message on Jul 3, 2021, so I'm marking this as verified.

Oct 24 2021, 6:44 PM · Unknown Object (Project)

Jun 26 2021

avm99963 updated the task description for T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate.
Jun 26 2021, 8:39 PM · Unknown Object (Project)
avm99963 closed T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate as Fixed.

I'm marking this report as fixed since I've just checked that all the reproduction steps shared here don't work anymore (the endpoints seem to be properly protected now).

Jun 26 2021, 8:38 PM · Unknown Object (Project)
avm99963 added a comment to T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate.

On Jun 15, 2021 I contacted Google:

Jun 26 2021, 8:28 PM · Unknown Object (Project)

Jun 15 2021

avm99963 changed the visibility for T23: Avatars can be set to custom URLs and displayed in the Google Forums without using a proxy.
Jun 15 2021, 12:11 PM · Unknown Object (Project)
avm99963 closed T23: Avatars can be set to custom URLs and displayed in the Google Forums without using a proxy as Verified.

This has been fixed a long time ago by Google. Unrestricting access.

Jun 15 2021, 12:11 PM · Unknown Object (Project)
avm99963 added a comment to T25: Subscriptions to saved filters trigger email notifications for unauthorized threads.

I just confirmed that the main vulnerability is fixed, while the one in comment T25#429 isn't.

Jun 15 2021, 12:05 PM · Unknown Object (Project)
avm99963 added a subtask for T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate: T25: Subscriptions to saved filters trigger email notifications for unauthorized threads.
Jun 15 2021, 4:13 AM · Unknown Object (Project)
avm99963 added a parent task for T25: Subscriptions to saved filters trigger email notifications for unauthorized threads: T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate.
Jun 15 2021, 4:13 AM · Unknown Object (Project)
avm99963 created T26: Missing access control in methods v2/users:search and v2/users/status:batchUpdate.
Jun 15 2021, 4:11 AM · Unknown Object (Project)

Feb 20 2021

avm99963 set Reward to 3133 on T25: Subscriptions to saved filters trigger email notifications for unauthorized threads.
Feb 20 2021, 3:00 AM · Unknown Object (Project)
avm99963 changed the status of T25: Subscriptions to saved filters trigger email notifications for unauthorized threads from New to Accepted.

Google mentioned on Jan 7 that a bug report was filed based on my report, so I'm marking this issue as accepted.

Feb 20 2021, 3:00 AM · Unknown Object (Project)

Jan 26 2021

avm99963 edited the content of Report a vulnerability to avm99963.
Jan 26 2021, 2:26 PM
avm99963 created an object: Report a vulnerability to avm99963.
Jan 26 2021, 12:44 AM

Jan 8 2021

avm99963 updated the task description for T25: Subscriptions to saved filters trigger email notifications for unauthorized threads.
Jan 8 2021, 8:41 PM · Unknown Object (Project)
avm99963 added a comment to T25: Subscriptions to saved filters trigger email notifications for unauthorized threads.

Another vulnerability similar to this one has been reported to Google on Jan 8, 2021 as a comment in the same bug opened by this vulnerability report, due to the similarities between both vulnerabilities.

Jan 8 2021, 8:40 PM · Unknown Object (Project)

Jan 2 2021

avm99963 triaged T25: Subscriptions to saved filters trigger email notifications for unauthorized threads as Priority-1 priority.
Jan 2 2021, 2:09 PM · Unknown Object (Project)

Sep 15 2020

avm99963 set Vendor to Google on T23: Avatars can be set to custom URLs and displayed in the Google Forums without using a proxy.
Sep 15 2020, 3:03 PM · Unknown Object (Project)
avm99963 triaged T23: Avatars can be set to custom URLs and displayed in the Google Forums without using a proxy as Priority-3 priority.
Sep 15 2020, 3:02 PM · Unknown Object (Project)

Jul 20 2020

avm99963 changed the visibility for T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.
Jul 20 2020, 11:28 PM · Unknown Object (Project)
avm99963 added a comment to T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.

The blocking report has been published, so publishing this report too.

Jul 20 2020, 11:28 PM · Unknown Object (Project)
avm99963 changed the visibility for T21: IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console.
Jul 20 2020, 11:26 PM · Unknown Object (Project)
avm99963 closed T21: IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console as Verified.

On Feb 14 2020, 8:47 PM, Google told me they fixed the issue and I could also verify the issue was fixed. Therefore, I'm marking this report as Verified and disclosing it to the public.

Jul 20 2020, 11:26 PM · Unknown Object (Project)
avm99963 changed the visibility for T22: XSS vulnerability in ub.edu.
Jul 20 2020, 11:22 PM · Unknown Object (Project)
avm99963 closed T22: XSS vulnerability in ub.edu as Verified.

On May 16 2020, 2:34 PM, SAE told me the developers fixed this issue, and I could verify this, so I'm marking this report as verified and disclosing it to the public.

Jul 20 2020, 11:22 PM · Unknown Object (Project)

May 14 2020

avm99963 set Reported to May 14 2020, 1:46 PM on T22: XSS vulnerability in ub.edu.
May 14 2020, 1:47 PM · Unknown Object (Project)

Apr 19 2020

avm99963 removed Deadline on T21: IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console.
Apr 19 2020, 5:15 AM · Unknown Object (Project)
avm99963 changed the visibility for T21: IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console.
Apr 19 2020, 5:15 AM · Unknown Object (Project)
Douglasbot changed the visibility for T21: IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console.

The deadline has been exceeded -- automatically publishing vulnerability report.

Apr 19 2020, 5:13 AM · Unknown Object (Project)

Apr 15 2020

avm99963 created T22: XSS vulnerability in ub.edu.
Apr 15 2020, 4:30 PM · Unknown Object (Project)

Apr 14 2020

avm99963 added a comment to T20: XSS vulnerability in sso.ub.edu.

Marking as verified because UB's SAE confirmed that the vulnerability was fixed on Feb 21 2020, 12:14.

Apr 14 2020, 10:19 AM · Unknown Object (Project)
Douglasbot changed the visibility for T20: XSS vulnerability in sso.ub.edu.

The deadline has been exceeded -- automatically publishing vulnerability report.

Apr 14 2020, 5:13 AM · Unknown Object (Project)

Feb 23 2020

avm99963 changed the visibility for T19: XSS vulnerability in ub.edu.
Feb 23 2020, 7:30 PM · Unknown Object (Project)
avm99963 added a comment to T19: XSS vulnerability in ub.edu.

On Feb 21, 2020, SAE confirmed that the vulnerability was fixed. From my end it also seems like it is fixed, so I'll be changing its status to verified and will publish it.

Feb 23 2020, 7:30 PM · Unknown Object (Project)

Feb 18 2020

avm99963 closed T20: XSS vulnerability in sso.ub.edu as Fixed.
Feb 18 2020, 1:07 AM · Unknown Object (Project)
avm99963 added a comment to T20: XSS vulnerability in sso.ub.edu.

This vulnerability seems to be fixed from my end since a couple of days ago. Therefore, I'm marking it as fixed.

Feb 18 2020, 1:07 AM · Unknown Object (Project)

Feb 4 2020

avm99963 changed the visibility for T18: Anyone can access a whitelist of users and delete users from the whitelist.
Feb 4 2020, 2:13 PM · Unknown Object (Project)
avm99963 added a comment to T18: Anyone can access a whitelist of users and delete users from the whitelist.

On Sep 12, 2019 Google confirmed that the vulnerability was fixed, so I'll publish it now.

Feb 4 2020, 2:13 PM · Unknown Object (Project)

Jan 22 2020

Douglasbot changed the visibility for T17: It is possible to buy tickets for the Alhambra for 0,01 €.

The deadline has been exceeded -- automatically publishing vulnerability report.

Jan 22 2020, 6:13 AM · Unknown Object (Project)

Jan 19 2020

avm99963 changed the status of T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console, a subtask of T21: IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console, from Fixed to Verified.
Jan 19 2020, 5:43 PM · Unknown Object (Project)
avm99963 added a comment to T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.

On Jun 20, 2019 12:06 AM Google replied:

Jan 19 2020, 5:43 PM · Unknown Object (Project)
avm99963 added a parent task for T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console: T21: IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console.
Jan 19 2020, 5:43 PM · Unknown Object (Project)
avm99963 added a subtask for T21: IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console: T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.
Jan 19 2020, 5:43 PM · Unknown Object (Project)
avm99963 created T21: IP addresses linked to the original poster of several forum threads revealed by API in the Google Forums Community Console.
Jan 19 2020, 5:43 PM · Unknown Object (Project)
avm99963 added a comment to T19: XSS vulnerability in ub.edu.

Changing its status to "started", because SAE (Servei d'Atenció a l'Estudiant) told me on Jan 16, 2020:

Jan 19 2020, 5:03 PM · Unknown Object (Project)

Jan 13 2020

avm99963 created T20: XSS vulnerability in sso.ub.edu.
Jan 13 2020, 4:16 PM · Unknown Object (Project)
avm99963 set Deadline to 154 on T17: It is possible to buy tickets for the Alhambra for 0,01 €.
Jan 13 2020, 1:19 PM · Unknown Object (Project)
avm99963 added a comment to T17: It is possible to buy tickets for the Alhambra for 0,01 €.

I haven't received any response, so I just sent them an email saying that I'll set this report to be autopublished in a week (which means setting the deadline field to 154 days), given that I verified that the issue was fixed.

Jan 13 2020, 1:19 PM · Unknown Object (Project)

Nov 27 2019

avm99963 created T19: XSS vulnerability in ub.edu.
Nov 27 2019, 11:46 PM · Unknown Object (Project)
avm99963 added a comment to T17: It is possible to buy tickets for the Alhambra for 0,01 €.

Since I reported the vulnerability in August, I only contacted them once again on Sep 2 to confirm whether they received the vulnerability details or not. They didn't reply and so I didn't know whether they actually received it.

Nov 27 2019, 10:57 PM · Unknown Object (Project)

Nov 20 2019

avm99963 changed the visibility for T17: It is possible to buy tickets for the Alhambra for 0,01 €.
Nov 20 2019, 9:38 AM · Unknown Object (Project)
Douglasbot changed the visibility for T17: It is possible to buy tickets for the Alhambra for 0,01 €.

The deadline has been exceeded -- automatically publishing vulnerability report.

Nov 20 2019, 6:13 AM · Unknown Object (Project)

Nov 19 2019

avm99963 changed the visibility for T17: It is possible to buy tickets for the Alhambra for 0,01 €.
Nov 19 2019, 9:07 AM · Unknown Object (Project)
avm99963 changed the visibility for T17: It is possible to buy tickets for the Alhambra for 0,01 €.
Nov 19 2019, 7:25 AM · Unknown Object (Project)
Douglasbot changed the visibility for T17: It is possible to buy tickets for the Alhambra for 0,01 €.

The deadline has been exceeded -- automatically publishing vulnerability report.

Nov 19 2019, 6:13 AM · Unknown Object (Project)

Sep 18 2019

Douglasbot changed the visibility for T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.

The deadline has been exceeded -- automatically publishing vulnerability report.

Sep 18 2019, 7:13 AM · Unknown Object (Project)

Sep 17 2019

avm99963 added a comment to T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.

CESICAT sent me an email on Sep 13, 2019, 4:54 PM stating the following:

Sep 17 2019, 10:22 PM · Unknown Object (Project)

Sep 9 2019

avm99963 changed Deadline from 90 to 97 on T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.
Sep 9 2019, 12:57 AM · Unknown Object (Project)
avm99963 added a comment to T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.

I haven't updated this report for a long time, so this is the timeline of the most important events since CESICAT had access to the vulnerability details until now:

Sep 9 2019, 12:57 AM · Unknown Object (Project)

Aug 23 2019

avm99963 created T18: Anyone can access a whitelist of users and delete users from the whitelist.
Aug 23 2019, 4:52 AM · Unknown Object (Project)
avm99963 changed the visibility for T14: Product Experts can review off-topic requests or hide from the public any message in the Google Help Forums.
Aug 23 2019, 4:24 AM · Unknown Object (Project)
avm99963 changed the visibility for T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".
Aug 23 2019, 4:23 AM · Unknown Object (Project)
avm99963 added a comment to T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".

T13 and T14 were considered the same bug by Google in their own issue tracker, so I marked T14 as a duplicate of T13 in my issue tracker.

Aug 23 2019, 4:23 AM · Unknown Object (Project)
avm99963 merged task T14: Product Experts can review off-topic requests or hide from the public any message in the Google Help Forums into T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".
Aug 23 2019, 4:17 AM · Unknown Object (Project)
avm99963 merged T14: Product Experts can review off-topic requests or hide from the public any message in the Google Help Forums into T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".
Aug 23 2019, 4:17 AM · Unknown Object (Project)

Aug 19 2019

avm99963 created T17: It is possible to buy tickets for the Alhambra for 0,01 €.
Aug 19 2019, 5:18 PM · Unknown Object (Project)

Jul 21 2019

avm99963 removed Deadline on T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.
Jul 21 2019, 1:01 AM · Unknown Object (Project)

Jun 19 2019

avm99963 added a comment to T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.

On Jun 19, 2019 4:23 PM I contacted Google again in order to tell them that 89 days have elapsed since the reporting date and to inquire about whether the fix was already implemented or not.

Jun 19 2019, 5:05 PM · Unknown Object (Project)
avm99963 changed Deadline from 90 to 120 on T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.
Jun 19 2019, 4:52 PM · Unknown Object (Project)
avm99963 set CVE to CVE-2019-12837 on T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.
Jun 19 2019, 1:35 AM · Unknown Object (Project)

Jun 15 2019

avm99963 published a new version of Vulnerability Reports Lifecycle.
Jun 15 2019, 5:05 PM · Unknown Object (Project)

Jun 11 2019

avm99963 set Reported to Jun 11 2019, 1:00 PM on T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.
Jun 11 2019, 1:03 PM · Restricted Project
avm99963 added a comment to T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat.

I emailed an AES-256 encrypted ZIP file with a translation of this report in Catalan on Jun 10, 3:18 AM and I just gave CESICAT the key via another contact method, so I'm setting this vulnerability as reported on Jun 11, 1:00 PM because this is when they first had access to the document.

Jun 11 2019, 1:03 PM · Restricted Project

Jun 10 2019

avm99963 triaged T15: Students can (still) see other student's personal information at accesuniversitat.gencat.cat as Priority-0 priority.
Jun 10 2019, 3:18 AM · Restricted Project

Jun 5 2019

avm99963 triaged T14: Product Experts can review off-topic requests or hide from the public any message in the Google Help Forums as Priority-1 priority.
Jun 5 2019, 11:17 PM · Restricted Project
avm99963 changed the visibility for T7: Remote code execution and full access to database and codebase at offerplaying.com.
Jun 5 2019, 10:40 PM · Restricted Project
avm99963 closed T7: Remote code execution and full access to database and codebase at offerplaying.com as WontFix.

Prinsen Group seems to have disappeared completely from the map and exactly 1 year has passed since the vulnerability was first known, so I'm disclosing it publicly and marking it as WontFix.

Jun 5 2019, 10:39 PM · Restricted Project
avm99963 created T13: Product Experts can create threads with the properties "closed", "sticky" or "isTrending".
Jun 5 2019, 10:26 PM · Restricted Project
avm99963 raised the priority of T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console from Priority-1 to Priority-0.
Jun 5 2019, 10:09 PM · Restricted Project
avm99963 added a comment to T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.

On Apr 24 2019, 8:39AM Google said:

Jun 5 2019, 10:08 PM · Restricted Project

Apr 22 2019

avm99963 set Reward to 5000 on T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.
Apr 22 2019, 11:04 PM · Restricted Project
avm99963 set Reward to 0 on T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console.
Apr 22 2019, 11:04 PM · Restricted Project
avm99963 closed T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console as Fixed.

On Mar 23, 2019 2:41AM I sent Google another email detailing another vulnerability I found in the same API:

Apr 22 2019, 11:04 PM · Restricted Project

Mar 22 2019

avm99963 triaged T12: IP address of the original poster in a forum thread revealed by API in the Google Forums Community Console as Priority-1 priority.
Mar 22 2019, 12:29 AM · Restricted Project

Mar 19 2019

avm99963 changed the visibility for T11: All SAE support emails are visible to the public.
Mar 19 2019, 6:26 PM · Restricted Project
avm99963 changed the visibility for T10: Error message reveals information about some internal data structure.
Mar 19 2019, 6:26 PM · Restricted Project
avm99963 closed T11: All SAE support emails are visible to the public as Verified.

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

Mar 19 2019, 6:26 PM · Restricted Project
avm99963 closed T10: Error message reveals information about some internal data structure as Verified.

The third party says the vulnerability is fixed and I could verify it too, so I'm publishing the vulnerability.

Mar 19 2019, 6:26 PM · Restricted Project

Mar 18 2019

avm99963 set Reported to Mar 18 2019, 12:47 AM on T10: Error message reveals information about some internal data structure.
Mar 18 2019, 12:52 AM · Restricted Project
avm99963 set Reported to Mar 18 2019, 12:47 AM on T11: All SAE support emails are visible to the public.
Mar 18 2019, 12:52 AM · Restricted Project
avm99963 updated the task description for T11: All SAE support emails are visible to the public.
Mar 18 2019, 12:25 AM · Restricted Project
avm99963 triaged T11: All SAE support emails are visible to the public as Priority-1 priority.
Mar 18 2019, 12:18 AM · Restricted Project

Mar 17 2019

avm99963 updated the task description for T10: Error message reveals information about some internal data structure.
Mar 17 2019, 11:33 PM · Restricted Project