How i earned $500 from google by change one character .

My name is oday and today i will share one bug in Google from 4 bugs i discovered, Which is in “admanager”. I was able to turn off/on notification email victim account by bypassing the CSRF protection .

What is Cross site scripting forgery?

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated”.

Let’s start ..

When sign in to your account on admanager.google.com for first time,you will note that there is option to modify email notification settings.

I capture request using burp suite and i am start to try bypass CSRF_TOKEN:

As you can see the security_token sent as parameter .I tried different ways to bypass security_token ,but unfortunately i couldn’t bypass it :( .

After try all bypass ways ,i crossed my mind to add random value with same length for security_token .And boom it work :)

After that i change just one character on my security_token ,and i tried poc on different accounts and it worked also .

Google vrp rewarded me $500 for this bug :D

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store