Google VRP (Acquisitions) — [Insecure Direct Object Reference] 2nd

Caesar Evan Santoso
3 min readNov 10, 2022

--

Google VRP

Hi All!, Yuuppp…It’s me again! XD. As the title suggests, I will share how I found the [Insecure Direct Object Reference] vulnerability in one of Google’s acquisitions (https://www.appsheet.com/).

Description

AppSheet is an application that provides a no-code development platform for application software, which allows users to create mobile, tablet, and web applications using data sources like Google Drive, DropBox, Office 365, and other cloud-based spreadsheet and database platforms.
https://www.appsheet.com/

Proof Of Concept

After I did some tests on the menu, I got one menu where this menu will send a template to send an Email and the template will enter our Google Docs or Drive.

App “B” (Attacker) & “C” (Victim)

Here I create 2 accounts where the account from the profile picture “B” is the Attacker, and “C” is the Victim.

Attacker “B”
Victim “C”

It can be seen in the image below that the last document named “Victim” is the last document of this Victim account.

Request “Attacker” & “Victim”

To make it easier here I will share the ID differences in my two accounts

ID Attacker & Victim

And here is the Request from “Attacker”

ID Attacker

And here is the Request of “Victim”

ID Victim

Test IDOR & Spamming Docs Victim

Here I use Burpsuite’s Intruder and change the “ID” of the “Attacker ID” to the ID of the “Victim”.

Intruder BurpSuite

It can be seen in the Response image below that it displays a successful response and there is also a response related to the Docs sent to the Victim’s Docs.

FileName : DocId

And if I look at the Docs belonging to the “Victim” account it will get Spam from this

Questions & Answers

  1. How do I find the ID ?
    You can rely on Google Search to find these ID

2. For “Version” do we have to follow the victim’s Version ?
No, you can use your own “Version” and do not have to follow the victim’s Version.

Timeline

> 27 Sep 2022 : Get IDOR and Report to Google
> 10 Okt 2022 : Nice Catch!
> 11 Okt 2022 : The VRP panel has decided to issue a reward of $XXX for my report
> 6 Nov 2022 : Fixed!

Follow Me

https://www.linkedin.com/in/c3van/

Sheeeeessshhhhhh!

--

--