[ BUG BOUNTY ] Flaw in Authentication ( Hall of Fame Google )

Danang Tri Atmaja
Oct 21 · 3 min read

بسم الله الرحمن الرحيم

(This is a Simple POC).

So the story is long. First I want to say Alhamdulillah until today. :)

I was begin intend to gather information … recon, recon and recon at the stage of searching for subdomains and their directory.

Tools:

Sub-domain search:

1. Knockpy — https://medium.com/hacker-toolbelt/knokpy-5c6745e53770
2. Sublist3r — https://github.com/aboul3la/Sublist3r

Directory search:

  1. Dirsearch — https://github.com/maurosoria/dirsearch

A long story short is i found a subdomain from google subdomain.

I got a target : https://learndigital.withgoogle.com/digitalgarage

From the look of this website you can see that there are two method for account registration forms to enter the system.

And then, I am reminded of a proof of concept that I made, which is :

https://medium.com/@danangtriatmaja/bug-bounty-allowing-register-with-official-domain-cfe605d83b63

Where when someone does the registration process, the system does not verify the registered email.

#Bugbountytips : Security Impact is Email addresses can be sign-in using main domain without verification, and this is can do an action with official email or other.

“sometimes you can try this method to registration with email officially or other and enter the system without verification”

And this is how to reproduce this issue :

Summary: Insufficient Security Configurability | Flaw in Authentication

Steps to reproduce:

Case #1 on the Attacker-Side
1. Go http://learndigital.withgoogle.com/
2. Go registration page and choice signin with email officially
3. Input email official victim, example : gmail.com
4. And then input Name, Fill a password, Confirm password — Click Signup — Done
5. Input First Name & Last Name
6. Choose email preffence And complete — Finish

Note: At this stage you have successfully entered the system using the email that you registered without going through the verification process and you can do any activities using this email

In another Case #2 on the Victim-Side
1. Victim go http://learndigital.withgoogle.com/
2. Go registration page and choice sign in with Gmail
3. Input email & password through Gmail
4. And then the victim sees that his account has been entered by someone unknown

Browser/OS:
1. Firefox
2. Firefox Private

Version : 63.0.1

Video for PoC :

Attack scenario:

Sourced from : https://www.owasp.org/index.php/Top_10_2014-I8_Insufficient_Security_Configurability

Consider the impact of the business if data can be modified and control of the account assumed, other than that the impact of this is that attacker can fill in the data first before the original account owner enters the system

Timeline :

  1. 14 — June — 2019 : Report the issue
  2. 17 — June — 2019 : Not be severe enough for us to track it as a security bug
  3. 19 — June — 2019 : Explain about the security impact of this bug
  4. 27 — June — 2019 : Triaged
  5. 31 — July — 2019 : Valid issue

Danang Tri Atmaja

Written by

IT { enthusiast } se{curi}ty

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade