Ahmad Mahfouz

Random notes

Google Drive Information Leak

Google Drive & Gmail attachments Leak

This part of Google bounty program

[IDOR] exploit to allow the attacker to leak your Google Drive files

and this mean attacker could leak Gmail attachments that uploaded to Google Drive, Photos you shared with Gmail or any other third party

here is the none technical product flow

you go to google drive  and upload a file  then u decided to share it with example@domain.com, Google will generate a hash of 28 char for the uploaded file and include this hash in the email u send it to exmaple@domain.com

 

the exploit reproduction steps :

1.open drive.google.com and login
2.intercept traffic to POST https://drive.google.com/act
3.replace docId parameter with any docId
4.api will respond u with documents list of the targeted dockId and hashes !!!

 

docId is kinda unique Id for each google drive account

example of ids
0ALWQPi6NE9vbUk9PVA
0ALEF_Oqt-UCPUk9PVA
0ANqT87FNEYawUk9PVA

as you notice it all starts with 0A  and ends Uk9PVA there is kind of sequence here and it easy to be brute-forced

the malformed  request

 

google drive will respond with a JSON file contents the files shared via your account

example of respond

 

as you notice here

[\”0B7WXP883E9vbX1CBZWtaemtPNXM\”,\”20140121_130143.jpg\”,\”image/jpeg\”]

0B7WXP883E9vbX1CBZWtaemtPNXM anyone with this hash could access this file 20140121_130143.jpg

you will be able to access this file via this link https://drive.google.com/file/d/0B7WXP883E9vbX1CBZWtaemtPNEM/

exploit report at Apr 22 2015
exploit fixed at Apr 30 2015
docId hash improved May 7 2015

 

with 3133.7 $ bounty

One thought on “Google Drive Information Leak

  • ktokkisa
    January 8, 2017 at 12:08 am

    привет

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.