google forum's ultra vires loophole (us $500)

Posted by millikan at 2020-03-17

Recently, I have been testing Google's services, looking for security holes everywhere, and finally found some very interesting holes. In the whole process of digging the loopholes, my heart is like riding a roller coaster, both happy to find the loopholes and lost when the loopholes are rejected. In this article, I'm going to introduce a simple but interesting Google forum authorization bypass vulnerability (which gave me a $500 reward).

First:GWT(Google Web Toolkit)

Have you heard of Google Web Toolkit (GWT)? I have to admit that although this is not an advanced technology (in fact, it appeared as early as 2006 and became an open source project in 2013), I never really touched Google before I started testing its services.

Google Web Toolkit Google Web Toolkit

Fortunately, there are many researches on GWT security now, and I can barely understand the meaning of some requests.

Class enumeration

Now let's take a look at Google groups. If you have never used this service before, you can simply understand it as a forum platform. You can create your own forum or group, invite participants to discuss topics, manage forum permissions, and decide who can view / update different sections of the Forum (Group). And, as you might expect, Google forums are built with GWT.

In general, when I test GWT requests, I don't mess up the signature bits of the request (that is, the numbers separated by pipe characters at the beginning and end of the request), but test some parameters.

I quickly found a sensitive parameter. In the following GWT request, I found that the number in the box represents a specific class on the server side:

The number '4' points to the 'abstractsearchkey' class

The number '8' points to the 'shared. Category' class

So, I used burp to brutally crack the names of all classes:

Although this is not a huge security problem in itself (I have reported this problem to Google, which thinks it is "low-risk"), it gives me the impetus to move forward. I think there must be security flaws in the GWT implementation of Google forum.

View data for other groups

Again, I looked at all the GWT requests that were captured. It was found that a string in one of the requests was the name of the test group I created:

Yes, this "test test..." It's the best name I can think of.

In response to this request, the basic information of the group, such as e-mail, subject and description of the group, is included. OK, so, can I only view the information of the group I created?

I quickly created a new group with my second Google account (set all permissions to "private", that is, only invited users are allowed to view any content of the group), and then I used my first account to query the information of the new group. As a result, I was able to see some sensitive information and successfully found an unauthorized loophole:

Data set to "private" can be seen even if it is not a member

Unfortunately, I can't see the conversations of group members, but I can only see the email and description of the group. However, this is the first time that I have found a vulnerability in GWT, which may indicate that it has the same vulnerability as other programming methods.


Baimaohui is engaged in information security, focusing on security big data and enterprise Threat Intelligence.

Company products: fofa - Cyberspace Security search engine, foeye - cyberspace retrieval system, nosec - security information platform.

To provide you with: cyberspace mapping, enterprise asset collection, enterprise Threat Intelligence, emergency response services.