How I was able to delete Google Gallery Data [IDOR]

Yogesh Tantak
Dec 30, 2018 · 2 min read

Hi,
This is Yogesh Tantak a Security Researcher from India. Today I am writing about a critical bug that I found in Google’s new Product “Gallery”.

You can find out more information about this product by below url:
https://www.theverge.com/2016/10/26/13418012/google-material-design-stage-gallery-pixate

This bug could allowed a malicious user to delete all collection from Gallery.io or Google gallery app.

I found this google product when I was testing some google websites.

The vulnerable api has two parameters

  1. Project id
  2. Collection id <Actual Vulnerable input parameter>

The issue here is that the vulnerable api endpoint doesn’t check if the provided value for the collection_id is actually an id of a “Logged in user’s Collection_id” and not another users collection_id.
I replaced my project collection id to other user’s collection_id and after hitting the delete button other user’s collection got deleted.

Image for post
Image for post
Vulnerable API endpoint
Image for post
Image for post
Success Response

Reply from Google:

Image for post
Image for post
Reply from Google Security Team
Image for post
Image for post
Reward mail from Google

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store