Skip to main content

Posts

Showing posts from September, 2014

Bounty leftover Part #2 (target Google)

In my previous blog post I mentioned a following post about some vulnerability I found in https://accounts.google.com/. As said, motivated from my little success that I got finding a vulnerability in some obsolete authorization service in Facebook I thought I might have the same luck with Google :) Well it turned out this was the case... Giving a look at the Older Protocols in the Google Accounts Authentication and Authorization page something that immediately caught my attention was the AuthSub (deprecated) flow. Now, I am not going to describe here the flow, it is enough saying that it is a pre-OAuth flow that Google used to give some access delegation using some sort of tokens... The problem was related with the scope parameter in www.google.com/accounts/AuthSubRequest. It accepted concatenation of string after a valid scope.  E.g. 
https://accounts.google.com/AuthSubRequest?next=http%3A%2F%2Flocalhost%3A8080%2Fa&scope=http%3A%2F%2Fwww.google.com%2Fcalendar%2Ffeeds%2F/%3Cscript%…

Bounty leftover Part #1

One of the most important thing of anyone keen about security is to keep up to date with what is going on...
Hence I have a good collection of rss feed security's related.
One post that caught my attention a couple of months ago was this one from Stephen Sclafani. In a nutshell he was able to get a more than decent bounty of 20000$ exploiting some old Facebook API that is the precursor of Facebook's OAuth implementation.
Since I am a curious person I decided to give a look at these old APIs just to see the evolution of security over time. I was not hoping to find anything interesting under the bounty point of view since Stephen had found them all (he even did a second blog post collecting another 20000$!!).
Well, indeed I was right until some extent. I haven't found anything interesting under the security point of view (strictly speaking) nevertheless I was able to find a minor security issue (Information disclosure) that got rewarded by Facebook with a bounty... :)
Indeed ht…