Send a Email to me and get kicked out of Google Groups !! — #GoogleVRP — A Feature that almost broke Google Groups !!

Sriram Kesavan
InfoSec Write-ups
Published in
5 min readFeb 20, 2022

Reported: Jun 26, 2021 12:51PM

A lot of people might know what Google Groups is. For people who doesn’t, Google Groups allows users to create a group with multiple users in them and a common mail ID would be provided. That can be used to interact with the members in the group by simply sending a email.

For example:

You create a group named “Apple fans” and a Mail ID “apple_fans@googlegroups.com” will be provided. And members in the group can simply send a email and the message will be posted in the group !!

Organizations use Google Groups even as a Ticket tracking system, and a modified version is been used by Google as Payment Support System as per my knowledge and some information I gathered.

I never really wanted to test on Google Groups but revised UI made me to hunt there. And tbh it was cool.

So I created a group named “Test Groups” added some of my test accounts and followed by that I was provided with a common email ID “test_groups_one@googlegroups.com”

When I started sending out messages to the Google Groups one feature got my attention which was “+unsubscribe@googlegroups.com” in the email. This feature is available in Google Groups for so many years. But i never saw a single person test on this, so i decided to test it myself this time !!

When a user in my “Test Group One” isn’t interested to continue in a group he/she can simply send a email to test_groups_one+unsubscribe@googlegroups.com

So let’s assume I added my friend “friend1@example.com” and he isn’t interested in continuing in the group, he can send a mail to test_groups_one+unsubscribe@googlegroups.comand he will be removed from the group automatically. Here’s a video how it actually works.

Lot of you people might think of Email Spoofing is the issue, but it wasn’t !!

I initially spent more time (probably more than week even more) how the users were removed from the groups and SPF policy actually worked in this case. So, in-order to remove the user, we need to trick the victim to directly reply to the +unsubscribe@googlegroups.comso i tried “reply-to” function which is common in most mailing services.

So when we send out a email, the user’s reply will be sent to the unsubscribe email. And the user will be removed from the group. Refer below image for a spoofed mail which reply-to

But there was a disadvantage, the victim can visibly see which email he/she is replying. Even if I report this , there’s no way guys from Google guys will accept this. So i had to rethink even more in-order to find better attack scenario.

So what I planned was to mask the unsubscribe email. Right now there are so many proxy services but it was too costly and i opted for a even more cheaper version.

The trick is here by Auto-Forwarding Emails (Google Support). Here’s a simple image for better understanding:

So, when the Victim sends an random email to our ID ‘random-user@gmail.com’ and all the incoming emails will be automatically forwarded to ‘test_groups_one+unsubscribe@googlegroups.com’ and the Victim will be removed from the Google groups automatically and the system actually fails to verify it.

Simplified version of the attack scenario.

A Simple image for better understanding !! I tried this attack scenario where i created a group for my organization, added my friends with their consent and sent them a email. They replied to my email and BOOM, they got removed from the group one by one. LOL

And here’s a Final Video POC how it is achieved.

But, when I decided to send this issue to Google VRP the response didn’t make me happy :(

Yes, the report was closed as ‘Intended Behavior’ with above explanation. Seriously, Google Security bois, i started crying literally :(

But I wasn’t giving up. The next thing I did was get a permission from Google bois to publish a write-up regarding this. So i quickly made a write-up and sent back to get approval. And after a week back, i got this back: The Product team was favorable in addressing this issue.

Hoooray !!!

And yes, this was the same I was expecting and it happened. It was exactly two weeks that crossed and it was time for the reward now.

And yes it was rewarded $3133.7 it was higher than I expected coz i estimated this issue to be $500 or $1337 and it was higher than I expected. And this is the one more reason to love Google and Google VRP.

A initial patch has been applied to and i’ve also reported a patch bypass which is accepted and waiting for a Google VRP Panel review.

So see y’all in a new write-up soon guys !!

Thanks for reading !!

Twitter: sriramoffcl

Instagram: sriram_offcl

LinkedIn: sriramkesavan

Well if you love this write up drop a clap 👏, let’s connect then:

Peace ✌️ !!!

Thanks for proof-reading: Sandiyo Christan

🔈 🔈 Infosec Writeups is organizing its first-ever virtual conference and networking event. If you’re into Infosec, this is the coolest place to be, with 16 incredible speakers and 10+ hours of power-packed discussion sessions. Check more details and register here.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Sriram Kesavan

Google VRP Security Researcher | Founder TG Cyberlabs❤️ | Cybersecurity Researcher | H4cking is Fun !!

Responses (1)

What are your thoughts?