This is Yogesh Tantak a Security Researcher from India. Today I am writing about a critical bug that I found in Google’s new Product “Gallery”.
You can find out more information about this product by below url:
This bug could allowed a malicious user to delete all collection from Gallery.io or Google gallery app.
I found this google product when I was testing some google websites.
The vulnerable api has two parameters
- Project id
- Collection id <Actual Vulnerable input parameter>
The issue here is that the vulnerable api endpoint doesn’t check if the provided value for the collection_id is actually an id of a “Logged in user’s Collection_id” and not another users collection_id.
I replaced my project collection id to other user’s collection_id and after hitting the delete button other user’s collection got deleted.
Reply from Google: