Into the symmetry

In my previous blog post I mentioned a following post about some vulnerability I found in https://accounts.google.com/. As said, motivated from my little success that I got finding a vulnerability in some obsolete authorization service in Facebook I thought I might have the same luck with Google :) Well it turned out this was the case... Giving a look at the Older Protocols in the Google Accounts Authentication and Authorization page something that immediately caught my attention was the AuthSub (deprecated) flow. Now, I am not going to describe here the flow, it is enough saying that it is a pre-OAuth flow that Google used to give some access delegation using some sort of tokens... The problem was related with the scope parameter in www. google .com/accounts/ AuthSubRequest . It accepted concatenation of string after a valid scope.  E.g.  https://accounts.google.com/AuthSubRequest?next=http%3A%2F%2Flocalhost%3A8080%2Fa&scope=http%3A%2F%2Fwww.google.com%2Fcalendar

One of the most important thing of anyone keen about security is to keep up to date with what is going on... Hence I have a good collection of rss feed security's related. One post that caught my attention a couple of months ago was this one from Stephen Sclafani. In a nutshell he was able to get a more than decent bounty of 20000$ exploiting some old Facebook API that is the precursor of Facebook's OAuth implementation. Since I am a curious person I decided to give a look at these old APIs just to see the evolution of security over time. I was not hoping to find anything interesting under the bounty point of view since Stephen had found them all (he even did a second blog post collecting another 20000$!!). Well, indeed I was right until some extent. I haven't found anything interesting under the security point of view (strictly speaking) nevertheless I was able to find a minor security issue ( Information disclosure) that got rewarded by Facebook with a bounty... :)