Google VRP (Acquisitions) — [Insecure Direct Object Reference] 2nd
Hi All!, Yuuppp…It’s me again! XD. As the title suggests, I will share how I found the [Insecure Direct Object Reference] vulnerability in one of Google’s acquisitions (https://www.appsheet.com/).
AppSheet is an application that provides a no-code development platform for application software, which allows users to create mobile, tablet, and web applications using data sources like Google Drive, DropBox, Office 365, and other cloud-based spreadsheet and database platforms.
Proof Of Concept
After I did some tests on the menu, I got one menu where this menu will send a template to send an Email and the template will enter our Google Docs or Drive.
App “B” (Attacker) & “C” (Victim)
Here I create 2 accounts where the account from the profile picture “B” is the Attacker, and “C” is the Victim.
It can be seen in the image below that the last document named “Victim” is the last document of this Victim account.
Request “Attacker” & “Victim”
To make it easier here I will share the ID differences in my two accounts
And here is the Request from “Attacker”
And here is the Request of “Victim”
Test IDOR & Spamming Docs Victim
Here I use Burpsuite’s Intruder and change the “ID” of the “Attacker ID” to the ID of the “Victim”.
It can be seen in the Response image below that it displays a successful response and there is also a response related to the Docs sent to the Victim’s Docs.
And if I look at the Docs belonging to the “Victim” account it will get Spam from this
Questions & Answers
- How do I find the ID ?
You can rely on Google Search to find these ID
2. For “Version” do we have to follow the victim’s Version ?
No, you can use your own “Version” and do not have to follow the victim’s Version.
> 27 Sep 2022 : Get IDOR and Report to Google
> 10 Okt 2022 : Nice Catch!
> 11 Okt 2022 : The VRP panel has decided to issue a reward of $XXX for my report
> 6 Nov 2022 : Fixed!