Google Bug: Posting on groups as any user’s behalf
Google Groups is a service from Google that provides discussion groups for people sharing common interests.Today I will be sharing one of my finding in Google group.Using this issue an attacker could’ve post on any user’s behalf.
“Google Mail is vulnerable to e-mail spoofing so this made the attack easy”
Steps to reproduce
1. Search group where we want to post a new topic.
2. spoof e-mail using below command I used smtp2go server.
f — victim email id
t — google group email
s — smtp server and port
I have already set IP authentication in smtp server which we don’t need authenticate using username and password
Refresh the group page and a post is made on victim’s behalf :”)
Reported: Aug 14,2017,6:24 PM
Google response: intended behavior!