How I was able to send Authentic Emails as others — Google VRP [Resolved]
Report ID: 161777102 — Google VRP
Well I went back to Google VRP after 3 months to rank up on the Hall of Fame. And Google Cloud caught my attention and I decided to hunt bugs there.
NOTE: This isn’t my usual complicated write-up, but this is about a simple and clean logical vulnerability that I found on Google Cloud product which I wanted to share here.
I went through Google Cloud and one product got my attention. It was Appsheet which became my favorite target on entire Google Cloud products list. Coz I spent days understanding the application which made me easier to hunt for more bugs.
After 20 mins of understanding the application I found a interesting page on https://www.appsheet.com/partners
It had a form to enroll as a partner with some input fields like Name, Email and Request to send a mail to the respective organization.
At first this contact form did not draw my much attention instead I found a couple of IDOR’s on the application which was reported to Google VRP and resolved. You can find the write-ups here
Then the contact form totally got my attention when I found something suspicious on the request.
I found four parameters on the request, they were
“PartnerEmail”: ”Destination Partner Email”
“userName”: “My Username”
“userEmail”: “My Email”
“userRequest”: “My Message”
I tried Server Side Injection on the userRequest parameter but had no luck. But It was vulnerable to HTML Injection. When I sent userRequest as <img src=“test.png”> the image got reflected on the mail.
But Google isn’t gonna accept HTML Injection until it cannot be escalated to XSS. I couldn’t fire up a XSS or test for SSRF coz, it had a Cloud-flare at the back-end which literally blocked all my XSS payloads.
And then I tried replacing the partner Email to “admin@google.com” and forwarded the request. I had no belief that I will receive a email but to my surprise I received a email. Just like “admin@google.com” sent a mail with my message included on the form.
Wait, whaaat?!
No blocking mechanism, Passed the super cool Google Spam filter without any issues and the most important thing is Google Magic automatically marked the email as Important. And I was even able to send emails as any gmail user.
userEmail parameter can be also replaced with any email, which means I can send emails as Donald Trump to Kim Jong-un without exposing my identity.
And soon realized it was vulnerable to Open Mail Relay attack which really happens on applications these days.
I can send emails as any person to even fire an employee from a organization and even send emails for phishing or other possible attacks. On the other hand it can be used as a mail box to roll out massive email campaign without any issues and even without spending a single penny. And, no worries about mails getting ended up in spam Coz, They are from Google Systems and even signed by google.com from a Google Cloud — Appsheet and since the message parameter was vulnerable to HTML Injection it was even more possible to send emails with more authenticity by adding images and href tags.
An attacker simply has to fill the form with all details with simply tamper the request to send this authentic spoofed mail as any mail user.
I quickly reported the issue to Google and issue was accepted and resolved within 48 hours :)
Write-ups on the IDOR vulnerabilities I found on Google Cloud will be published once issues gets resolved ! Stay Tuned !!
Well if you love this write up drop a clap 👏, let’s connect then:
Twitter: sriramoffcl
Instagram: sriram_offcl
LinkedIn: sriramkesavan
Donate: https://paypal.me/sri123
Peace ✌️ !!!