How I made 1 Lakh in 7 minutes via accessing 25 Million users Mail ID via Google Pay. [Responsible Disclosure]
I’ve been using Google Pay lately and it’s very convenient for me to lend money from my friends! *just not to make you feel I’m rich*
What is Google Pay?
Google Pay uses near field communication (NFC) to transmit card information facilitating funds transfer to the retailer. It replaces the credit or debit card chip and PIN or magnetic stripe transaction at point-of-sale terminals by allowing the user to upload these in the Google Pay wallet. It is similar to contactless payments already used in many countries, with the addition of two-factor authentication. The service lets Android devices wirelessly communicate with point of sale systems using a near field communication (NFC) antenna, host-based card emulation (HCE), and Android’s security.
Google Pay takes advantage of physical authentications such as fingerprint ID where available. On devices without fingerprint ID, Google Pay is activated with a passcode. When the user makes a payment to a merchant, Google Pay does not send the credit or debit card number with the payment. Instead it generates a virtual account number representing the user’s account information. This service keeps customer payment information private, sending a one-time security code instead of the card or user details.[10]
Source : Wikipedia
So, I found a simple yet little severe bug in Google Pay which can be reproduced as follows.
- Install Google Pay from Play Store and complete the basic procedure it says
- Generate a list of phone numbers with python script or some other programming language which you’re familiar with and save that in your phone contacts
- Now, Open Google Pay and Tap “New” Button as the below image says.
4. It will now show whoever uses Google Pay out of that phone number list as “Google Pay Connections”
5. Just tap any contact and it will show the email ID associated with the Google Pay Account.
Why this is serious?
It shouldn’t be just like that, wherein a stranger finds your phone number and gets your e-mail ID I had a thought of Writing a web app and reproduce it as @akhilreni said wherein someone could enter the phone number and get their email ID if it’s registered in Google Pay with which you can make a list of email ID’s for marketing purposes and also could be a great catch for social engineering peeps.
Similar Bugs with Facebook.
https://nakedsecurity.sophos.com/2018/01/09/facebook-bug-could-have-exposed-your-phone-number-to-marketers/
https://www.adweek.com/digital/bug-exposed-email-addresses-phone-numbers/
https://techcrunch.com/2013/06/21/facebook-security-bug-exposed-personal-account-information-emails-and-phone-numbers-six-million-accounts-affected/
Responsibly Disclosed to Google
Reported on Oct 23, 2018, 01:07 PM
Triaged on Oct 23, 2018, 09:54 PM
Bounty on Dec 11, 2018, 10:50 PM
