Google VRP — [Insecure Direct Object Reference] $3133.70

Caesar Evan Santoso
4 min readOct 20, 2022

--

Google VRP

Hi All!!!, Yes… it’s me. As usual I want to give a story about how I find IDOR [Insecure Direct Object Reference] vulnerability on one of Google’s subdomains (https://datastudio.google.com/)

Description

Google Data Studio is a tools for displaying data to make it easier to read. So, you can determine a website development plan or other business strategy more quickly and precisely.
By the way, it looks like Data Studio is now a Looker Studio

Proof Of Concept

After I tried several Requests that I got on Request Burpsuite and also so many that it made me dizzy, I finally got one of the Endpoints that had this IDOR vulnerability.
The one with the vulnerability is “/persistTempReport

Create Template

The first step I did was go to the “Template” page and then select one of the templates available there.

After you click on one of these templates you will be directed to the Template page that you will create later, and there is an ID but it is not our Template ID (Maybe it’s like a temporary ID from this Data Studio)

Before I click “Edit & Share” I enable Intercept on my BurpSuite, And then click “Add to Report

Get Request {/persistTempReport}

And I got Request from “/persistTempReport”, and this is where I got this IDOR vulnerability.

As you can see in the picture above that the previous ID has changed, and this is my ID and the one you will use later like (https://datastudio.google.com/u/0/reporting/[XXXXXXX]/page/qlD/edit)

And in the picture above this belongs to my 2nd account ID

Found IDOR

In the content of Request “/persistTempReport” there is a parameter named “sourceReportId” which contains our Template ID and we can change it

ID Template Account {A}

And when I changed the contents of the “sourceReportId” parameter with my 2nd account ID, and it worked!

ID Template Account {B}

{getReport} and {persistentTempReport}

It doesn’t stop there, after several times I’ve been looking for more requests, I found 1 Request “/getReport” which will have the same response as “/persistentTempReport

Request and Response from /getReport

And when I change the contents of my Template ID from “/getReport” it will display the response “PERMISSION_DENIED” and on “/persistentTempReport” no error.

Permission Denied at getReport

Reference IDOR

Timeline

> 16 Sep 2022 (01:04) : Get IDOR and report to Google
> 16 Sep 2022 (01:13) : Additional Information (Added /getReport and /persistTempReport equations)
> 20 Sep 2022 : Nice Catch! from Google
> 27 Sep 2022 : The VRP panel has decided to issue a reward of $3133.70 for my report.
> 19 Okt 2022 : Fixing by Google

Follow Me

https://www.linkedin.com/in/c3van/

Thanks!

--

--

Responses (4)