Google Drive Information Leak

Google Drive & Gmail attachments Leak

this part of google bounty program

this  [CSRF] exploit allow attacker to leak your Google Drive files

and this mean attacker could leak gmail attachments that uploaded to Google Drive, Photos you shared with Gmail or any other thirdpart

here is the none technical product flow

you go to google drive  and upload a file  then u decided to share it with example@domain.com , google will generate a hash of 28 char for the uploaded file and include this hash in the email u send it to exmaple@domain.com

 

the exploit reproduction steps :

1.open drive.google.com and login
2.intercept traffic to POST https://drive.google.com/act
3.replace docId parameter with any docId
4.api will respond u with documents list of the targeted dockId and hashes !!!

 

docIs is kinda unique Id for each google drive account

example of ids
0ALWQPi6NE9vbUk9PVA
0ALEF_Oqt-UCPUk9PVA
0ANqT87FNEYawUk9PVA

as you notice it all starts with 0A  and ends Uk9PVA there is kind of sequence here and it easy to be brute-forced

the malformed  request

 

google drive will respond with a json file contents the files shared via your account

example of respond

 

as you notice here

[\”0B7WXP883E9vbX1CBZWtaemtPNXM\”,\”20140121_130143.jpg\”,\”image/jpeg\”]

0B7WXP883E9vbX1CBZWtaemtPNXM anyone with this hash could access this file 20140121_130143.jpg

you will be able to access this file via this link https://drive.google.com/file/d/0B7WXP883E9vbX1CBZWtaemtPNEM/

exploit report at Apr 22 2015
exploit fixed at Apr 30 2015
docId hash improved May 7 2015
 

One thought on “Google Drive Information Leak”

Leave a Reply

Your email address will not be published. Required fields are marked *

*