How I was able to delete Google Gallery Data [IDOR]

Hi,
This is Yogesh Tantak a Security Researcher from India. Today I am writing about a critical bug that I found in Google’s new Product “Gallery”.

You can find out more information about this product by below url:
https://www.theverge.com/2016/10/26/13418012/google-material-design-stage-gallery-pixate

This bug could allowed a malicious user to delete all collection from Gallery.io or Google gallery app.

I found this google product when I was testing some google websites.

The vulnerable api has two parameters

  1. Project id
  2. Collection id <Actual Vulnerable input parameter>

The issue here is that the vulnerable api endpoint doesn’t check if the provided value for the collection_id is actually an id of a “Logged in user’s Collection_id” and not another users collection_id.
I replaced my project collection id to other user’s collection_id and after hitting the delete button other user’s collection got deleted.

Vulnerable API endpoint
Success Response

Reply from Google:

Reply from Google Security Team
Reward mail from Google