Clickjacking on Google MyAccount Worth 7,500$

Recently, I got surprised from google, I found bug Clickjacking On Google My account. And they reward me 7,500$ for single bug. Amazing, right?. This bug I’ve found on March 2018, but the clickjacking is just blocked by CSP, and on August, I’ve found way to bypass it.

Actually, I’ve been research on business.google.com subdomain and look around, just dummies touching the feature. See the respond and request. Try a stupid thing, edit the parameter, etc. And when I want to manage the user is redirect me to myaccount.google.com which is place where I found the bug.

I look at my Lovely Community Edition of Burp Suite, There’s no header X-Frame-Option on it. At that time, I use Firefox ESR, I craft simple html just to iframe the page. And success, report them, but not applicable. Because on Firefox Quantum, Say Blocked By CSP,

Clickjacking Blocked By CSP
Clickjacking Blocked By CSP on Modern Browser

Sad to hear that, but I realize I just too noob. So, It’s okay. I leave my research on google until August 15th. I try to look around again on my previous research. With more focus and of course my black coffee. I try to understand the code work.

I realize if the CSP rule is reflected from my request parameter.  I found it on business.google.com , so the parameter of the host is business.google.com. 

URL :  https://myaccount.google.com/u/0/brandaccounts/group/101656179839819660704/managers?originProduct=AC&origin=https://business.google.com

And the respond is :

Response And Request Header

I realize if host just accept from business.google.com on origin parameter. So, I think the only way to execute it just from business.google.com . But, I try to edit parameter the origin to https://akugalau.business.google.com. It’s accepted! But, It’s impossible to use that subdomain. Hmmmm,

Okay, The csp still here, And I can’t do nothing, right? Do, I must give up? Come on, It’s a big company and I ? Just little kid with the broken heart story 🙁 SAD!

But, I have a lot free time to do stupid thing, right? So, I just adding illegal character on the origin parameter. I try to put URL Encode before the business.google.com. Become like this :

https://myaccount.google.com/u/0/brandaccounts/group/101656179839819660704/managers?originProduct=AC&origin=https://%0d.business.google.com

And the CSP is disappear, w000tttttt!!!!?!@?#!@?3!@?3?

The CSP is disappear

I try to iframe that And, I success to perform the clickjacking :’ . My condition is between not believe this and happy. 

If you ask me where the logic from adding the url encode on that. I dont understand :’ , I just lucky kid.

I make report quickly and submit to google. After 1 month, I just expected it’s worth 3,133.7 or 5,000. But, the google give me bigger bounty, they give me 7,500$ . What !

I dont know what i suppose to say. :’ , I dont believe it because I just noob kid.

PoC Code : 

<iframe src=”https://myaccount.google.com/u/0/brandaccounts/group/{your-group-id}/managers?originProduct=AC&origin=https://%0d.business.google.com” width=”1000″ height=”1000″>

Attack Scenario : 

1. Admin invite new user on group-id
2. New user will accept the invitation
3. New user know the {your-group-id} 
4. New user create a malicious page including this clickjacking to trick admin make the new user account to the owner
5. The group is takeover by the user.

Video :

Timeline : 

  • Aug 11 : Report to Google
  • Aug 15 : Google Staff Ask Detail
  • Aug 15 : Adding Detail
  • Aug 21 : Google Can’t Prove Bug
  • Aug 21 : Give them Video to PoC
  • Aug 28 : Google Ask About Attack Scenario
  • Aug 28 : Give the Attack Scenario
  • Sep 11 : Nice Catch!
  • Sep 25 : Bounty 7,500$
  • Sep 25 : I Cry.

And also, Big thanks to all Indonesia Bug Hunter Community, Who has been teach me a lot about Bug Bounty and the ethical of bug hunter.

Get in touch with me on twitter : LocalHost31337

Published by

apapedulimu

Urip Kui Urup

Leave a Reply

Your email address will not be published. Required fields are marked *