[ BUG BOUNTY ] Flaw in Authentication ( Hall of Fame Google )

بسم الله الرحمن الرحيم

(This is a Simple POC).

Image for post
Image for post

So the story is long. First I want to say Alhamdulillah until today. :)

I was begin intend to gather information … recon, recon and recon at the stage of searching for subdomains and their directory.


Sub-domain search:

1. Knockpy — https://medium.com/hacker-toolbelt/knokpy-5c6745e53770
2. Sublist3r — https://github.com/aboul3la/Sublist3r

Directory search:

  1. Dirsearch — https://github.com/maurosoria/dirsearch

A long story short is i found a subdomain from google subdomain.

I got a target : https://learndigital.withgoogle.com/digitalgarage

Image for post
Image for post

From the look of this website you can see that there are two method for account registration forms to enter the system.

Image for post
Image for post

And then, I am reminded of a proof of concept that I made, which is :


Where when someone does the registration process, the system does not verify the registered email.

#Bugbountytips : Security Impact is Email addresses can be sign-in using main domain without verification, and this is can do an action with official email or other.

“sometimes you can try this method to registration with email officially or other and enter the system without verification”

And this is how to reproduce this issue :

Summary: Insufficient Security Configurability | Flaw in Authentication

Steps to reproduce:

Case #1 on the Attacker-Side
1. Go http://learndigital.withgoogle.com/
2. Go registration page and choice signin with email officially
3. Input email official victim, example : gmail.com
4. And then input Name, Fill a password, Confirm password — Click Signup — Done
5. Input First Name & Last Name
6. Choose email preffence And complete — Finish

Note: At this stage you have successfully entered the system using the email that you registered without going through the verification process and you can do any activities using this email

In another Case #2 on the Victim-Side
1. Victim go http://learndigital.withgoogle.com/
2. Go registration page and choice sign in with Gmail
3. Input email & password through Gmail
4. And then the victim sees that his account has been entered by someone unknown

1. Firefox
2. Firefox Private

Version : 63.0.1

Video for PoC :

Attack scenario:

Sourced from : https://www.owasp.org/index.php/Top_10_2014-I8_Insufficient_Security_Configurability

Consider the impact of the business if data can be modified and control of the account assumed, other than that the impact of this is that attacker can fill in the data first before the original account owner enters the system

Timeline :

  1. 14 — June — 2019 : Report the issue
  2. 17 — June — 2019 : Not be severe enough for us to track it as a security bug
  3. 19 — June — 2019 : Explain about the security impact of this bug
  4. 27 — June — 2019 : Triaged
  5. 31 — July — 2019 : Valid issue
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store