Saturday, July 23, 2016

Delete Project Owner's Account Google Pixate

I don't have any idea how Google calculates ranking in their VRP, but this was the only bug which I reported to Google ever and secured #74 on https://bughunter.withgoogle.com/.

Pixate was acquired by Google back in July 2015, it is a next-generation mobile interaction design service aimed at helping designers create complex animations and interactions without writing code. The platform generates 100% native mobile prototypes as they’re being designed, enabling you to refine unique experiences and communicate interactive ideas to stakeholders and team members. (Copied from http://help.pixate.com/knowledgebase/articles/461798-1-introduction)



On one bright day of June I was browsing Facebook and I saw people posting status of invitation they got for BountyCraft 2016 at Defcon. BountyCraft is an event co-sponsored by Google, Microsoft & Facebook, where they meet Bug Hunters from different countries, socialize, eat and have drinks. I had seen similar posts last year on my Facebook wall and wanted to be there, but I was lazy enough to not try and find a bug. And even if I had found one, I could not have been able to sponsor my trip to Vegas. Now as I had planned to attend Blackhat as well as Defcon this year, I wanted to attend this event. So here is the story explaining how I found that issue in Pixate. 



As it is tough to find bugs on main domain I started looking at Google acquisitions list. It is fairly easy to find bugs on acquisitions as it is developed by whole different team. I started to look for CSRF, XSS & session related flaws and wasted almost 3 hours as application was pretty secure. I stopped and thought why don't I start working with application's logic. Here is what I analyzed and did;


"A low privileged admin user can delete project owner's account"

Steps to reproduce:
1. Login to your account on app.pixate.com in chrome
2. Create a cloud project and invite a user on his email to collaborate
3. User accepts invitation, and creates account in firefox
4. Now project owner can see that the collaborator has joined the team
5. Project owner makes the collaborator admin of project in chrome
6. The collaborator can be removed from team only if a) owner removes him or b) the collaborator leave team by himself
7. Collaborator can see the userId of owner by clicking on the owner's name on team page
8. Collaborator clicks on remove account button and intercepts the request on proxy, changes the userId in query string to that of project owner's
9. As soon as all the requests and responses are forwarded from collaborator, owner's account gets deleted
10. Owner can no longer login to his account

I created a video proof of concept which can be seen below.


Timeline:
June 15th, 2016 - Report sent, automated response received
June 15th, 2016 - Bug Triaged
June 15th, 2016 - Bug Filed
July 12th, 2016 - Fixed and Bounty rewarded

Finally I got invitation from Google Security team for BountyCraft 2016. Thanks for reading, comments and suggestions are welcome. 


No comments:

Post a Comment