Wednesday, March 5, 2014

Authorization Bypass in Google Orkut

I was playing with Google Orkut during the bug bounty. Orkut is  a social networking web site owned by Google  at

I  was investigating the robots file on and I found something suspicious. I found a messages page although there  was no link in the web site that directs to such page.

I navigated to the page and it was functional.

I targeted such page because I thought that it was ignored and that it would contain security flaws. I started inspecting the delete message feature:

This was the request sent when deleting a particular message:

 The server reads the id passed in the "msg" parameter and deletes the message. I tried to abuse this feature and put an id of another user that I created.

The message was deleted :-)

I was so happy at the beginning before I realized that the message ids are not so predictable. :-(

Sample message id:

Sample message id for another user

This will make the vulnerability not exploitable. I thought of asking for help from Google to find a solution for this problem. I used the Google search : inurl:msg inurl:messages.aspx

It revealed messages ids in the URLs. Although such URLs will lead to 404 pages, they reveal  message ids which can be used by an attacker to  exploit such vulnerability :-).

Those message sections were also vulnerable the same way:
–    Unauthorized movement of messages between folders
–    Unauthorized marking of messages to be read/unread

Google fixed the issue immediately and  acknowledged me in their news feeds:

Google rewarded me and added my name to the rewarded hall of fame list :-)

Google's bug bounty program is the best. The rules link is on

No comments:

Post a Comment