Skip to main content

Posts

Google Adwords(Privilege Escalation): Read-only user able to add YouTube channels via Linked accounts

STEWIE NOT DOG, HUNT SOME BUGS MY BOY!!!! Google AdWords , is Google's advertising system in which advertisers bid on certain keywords in their searchable ads. Since advertisers have to pay for these clicks, Google makes money from search. ISSUE : A user with read only access to the adwords account was able to link Youtube channels to the adwords account. Reported: 5th April   Steps to reproduce: 1. Go to https://adwords.google.com create a test adwords account. From settings, Account access add another userA with Read-only access (Here's the access right is allocated as read only users) Now 3. Go to user A mail account and accept the invitation to join the adwords account. 4. from user A adwords account go to settings then Linked accounts and then youtube, with below description:   YouTube channels Link a YouTube channel to your AdWords account to gain greater insights about your customers. 5. Add a youtube channel and accept the
Recent posts

Facebook WhiteHat: Able to access group plan details even after leaving the group.

Facebook WhiteHat: Able to access group plan even after leaving the group. Product/URL :  https://www.facebook.com/messages/t/[group_messagesID] Description and Impact Facebook messages has an option to create group, where a user can add multiple friends to chat, plan share pictures together. Whenever a user is not a part of the group, he is not allowed to see the updated information of the group. However one can still access the group plan even when not in a group. Peter, is it? Reproduction Instructions/Proof of Concept We have two test accounts, (test A) and (test B) 1. Test A Creates a new Group, Test Group, add members.(test B, test C ) 2. Test A creates a plan in group, with date, venue and plan name. 3. There is some argument between Test A and Test B, and Test B leaves the group. 4. Test A and Test C decides to change the plan venue as Test B was already aware of the all plan details. 5. Test A changes the plan venue and date, however T

Missing Authorization check while deleting App Review for Marketing API: Facebook Whitehat

Missing Authorization check while deleting App Review for Marketing API Peter, was enjoying the weekend, and he heard Lois screaming. Hey, Peter, when are we getting new Television: Well, huh!!! Alright… Let's find something Honey :p  Facebook has an option for App Review for Marketing API: This privilege is only given to app admin: App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review. Impact: A developer can change the app submission settings which can only be done by an admin and can also play with current submission settings. here's the official documentation: Facebook developer's documentation The authorization check for the developer is missing on backend for the add/delete requests. Peter being a developer was able to delete the added submissions(despite of having them disabled on front end) Steps to replicate: 1. create a test app, 2. add admin A and developer B 3. from developer B’

Hijacking Friend Requests Facebook: White Hat ./FamilyGuy

Facebook BugBounty: Intercept incoming friend requests of Victim add/accept to your facebook account: Product/URL:   Facebook android app on facebook Description and Impact The issue: Missing authorisation check while accessing friend request API on android app,  an attacker can add friend requests of any facebook user into his own account. in simple words Peter says: Wait, what, no, no, Peter is a nice fellow. Peter: Ok, but still  Its like I can intercept and accept friend requests from someone which was send to some other user via Facebook send friend request to contacts option. Let's report!! Sceanrio: X sends friends request by contacts option to Y. And I can get the request which was send to Y and become friend with X. Reproduction Instructions/Proof of Concept: 1. install latest android app.  2. Create new account.  3. Enter a random mobile number[victim's]. 4. Enter a good name. 5. Enter gender. 6. You can skip uploadi