Monday, December 14, 2015

Modifying/Deleting google drive files

This is a short write up of a bug in OAuth 2.0 implementation of Google API.

This bug could have allowed an application to delete/write on user's any of the file(s) in google drive, although the user permitted the application to access only those files that were created by the application.

 For an instance, an application requiring access to files created by itself looks like:

According to google API documentation, after the user clicks allow, the app should only be able to access files that was opened/created using this app.

I went ahead and tried deleting a file that was in the user's drive but wasn't ever accessed/created by the application. Following is the request I sent to test this:


The response was 204 No content. I checked the file in my drive, the file was no longer there.
This meant any application that had drive.file permission(i.e the permission to see only those files that were created by the app itself) could have been abused to access private files of user. Not only this allowed an attacker to read all the files on your drive, but also an attacker could modify/delete those files.

This was reported to google security team and has been fixed as of now.

Jun 5, 2015 - Reported.
Jun 5, 2015 - Triaged.
Jun 11, 2015 - Additional details sent.
Jun 26, 2015 - Fix confirmation, 1337$ bounty awarded.

Update: After Google fixed this issue, I was able to bypass the fix again. The bypass involved getting 'drive.readonly' permission along with 'drive.file' permission. 'drive.readonly' permission made everything in the user's Google drive visible to the application and 'drive.file' could still be used to delete/modify other files in user's Google drive.

The bypass has also been fixed by Google security team.

Thursday, December 18, 2014

Stored XSS on facebook and twitter!

I and my colleague Prakash were testing random stuffs to find a target that would be worth looking into. We found a new feature on Facebook which allows a user to visit the website of page-owner.

The "Shop-now" feature looked interesting with different restrictions for different input fields.
The app-link field caught my eyes, because "deep-link" URL had particularly idiosyncratic example :

The field was sanitized for special characters like < , ", ' , > and didn't allow any tags to enter. The output for such characters would be:

I thought of trying ()  . Surprisingly, they weren't being sanitized, and of course : wouldn't be filtered for sure because it would always be used in a URL. I still wasn't sure if any javascript would be executed. I saved the details to test it out with the applink as javascript:alert(document.domain).

But then I realized I was only couple of clicks to see if the test was successful. In, under the "shop now feature" was the script being stored. and then,

(Detailed exploit scenerio is shown in video)

Script was straightforward inserted into "a href" tag and anyone clicking on the button link would be exploited.

Now, along with client side filtering, it doesn't execute the script even if you managed to circumvent the client side protection in some way.

A very similar endpoint existed in twitter, too. You could define the action of a button click by yourself

but more on that later.

Both vulnerabilities have been patched by respective security teams.


Thanks for the read!

Wednesday, October 8, 2014

Facebook and twitter use Gmail! Wait, what?

I cannot guarantee 100% accuracy of what I claim, yet I found this occupying my thoughts and reckon it to be an interesting issue.

A simple tweak in GET request will let you know what services use google as their mailing service, and it's no black magic.

I was first astonished to see if what I saw was for real.

I found this URL while messing with the admin panel of mail manager provided by gmail.

This is what I got, as of now:
so far, so good.    

This is where the logo of third party sites are hosted. If I just change the domain name,

Wow, I haven't even logged into my college's webmail and I can see the logo that was uploaded for the logged in users to see.

I requested webadmin of my college to set up an email for me after this and the logo that appeared before seemed to be the real thing.

This is the thing I am talking about:


Now, lets just play around

This is what is seen as of now:

Well, well, what the heck!
Facebook uses google's mail service ?

I couldn't find a rational explanation for "No, they don't".

and twitter?

You could just replace the URL to see if the site uses gmail as their mail service provider:

Now, lets see whether some other sites use gmail:

Nope, since gmail's default logo appears, they dont seem to use gmail.(That's my explanation)

I don't yet know if this is totally random but I checked for several domains I possess (and few of my friends) and it appears to be true in those particular cases.

If you have gmail as your mail service provider and you are seeing something different, (or even if you think this is b***s***,) feel free to mention in comments.

Posted on by Abhibandu Kafle | 2 comments

Wednesday, May 28, 2014

How I hacked your unverified facebook accounts !

Here's a little write-up on how I was able to delete any unverified account in facebook. By unverified, I mean those accounts who didnot yet verify their email address linked to facebook. 

All (or most) of my bugs have been authentication related to many vendors, this was no different. 

Here is how I did it:

There is(was , now) this sign up function, which lets you create new facebook account. The twist is, when you use a facebook account that already has an account in facebook (with its email unverified), the response you get is :

When clicked on the "Insert the confirmation code instead" it lets you enter 5-digit number only code. Pretty simple , eh?

Lets generate a dictionary from 00000 to 99999

Now, straightforward stuff! I fired up Burp, "Swiss army knife" for me.

Notice something peculiar in the last request?
Yes, the response length changes to show that you've made the correct guess. (AJAX response in burp response says that).

Some math work :
possible password = 100,000
If , no. of requests = 100/sec
Time taken to find out "teh code" (worst case scenerio) = 15 minutes

The impact?

I could permanently delete any unverified facebook accounts within 15 minutes. You would try to recover using "password recover" feature but all your friends, PM's would be gone. You would have to create entirely new account.

All I had to do was squander my bandwidth (and sit back and relax).

How did I find out if an account was unverified?

Well, one way was to sign up using that email and see the response (if you are asked to enter confirmation code or not).

For a large number of emails, the other way was to enumerate facebook users first, to find out if the email had a facebook account and then use "Change email address field" to sort out which accounts have facebook associated with it and are still unverified.

8 hours later:

and was patched within 3 days of submission, however they were making strange changes  for about a month even after bounty payout (in their mobile platforms and mobile apps).

tl;dr :

1) Make an unconfirmed facebook account (the target)

2)Try to register a new account with same email (the attacker) !

3)It will take you to from the registration form.

4)Click on "Insert the confirmation code instead"!

5)Generate a dictionary .

6)Enjoy deleting accounts!

and a handsome bounty followed up:

Thanks for the read!

Saturday, March 15, 2014

How I feel about Internet Bug bounty !

Lately, I have been spending some time in some major bug bounties to have a new experience in a entirely new field, that I was completely unaware of few weeks ago!

Since then, I have gone through many kind of responses! In fact one of the most interesting part of bug bounty stuff is to see how the security engineers view your stuffs!

Here are some interesting responses, I received as a reply

This one made me feel LOL!

and of course I made some valid submissions too!(might be luckily)

Frankly, I've learned a lot testing well-reknowned and well reputed companies and eventually finding an attack vector is really fascinating. Its always fun to have a live target that could in some way, be exploited!

Black box testing is not always that easy! In general, One has to see how a system responds to a vector and change his strategy accordingly! However due to availibility of free and custom scanner tools, the process, system has always been tried to be replaced by custom scanner tools ,  a short-kurt! But this is very hard job because a tool merely understands the context and goes on trying to get a valid response after executing a  random payload. So, basically, tools are not the solution!

A big conflict is , Is bug bounty a field of security researching ? can bug bounty keep up that feel , that thurst , that enthusiasm of gaining knowledge who has a mindset of a so-called 'hacker'? (See here for what I refer to as a hacker "Who is a hacker?")

The first thing I'd say is when bug bounty is done solely for making money purposes, it gets worse! The person loses enthusiasm to learn new stuffs and gets back to searching for skid method to get on a whitehat page.

Having said this, the money the company would reward you on its sole decision, is also a representation of severity level of bug! Of course, an FPD wont be rewarded the same amount as OAUTH bypasses!

Almost every site over internet now has a bug bounty program and a white hat acknowledgement page! This is just because , they cant take the risk of getting hacked! They are actually using the sentiment for their benifit! Many of sites being built in custom framework , framework based vulnerabilites do exist in a site that uses it!

The point here is , involvement in bug bounty if isn't a big acheivement, finding new attack methodology is one. Finding a bug maynot be that important , developing a mindset on how to think like an attacker , is one important lessons that bug bounty teaches you!

Is bug bounty really worth it from the company's perspective ?

Well , In short , Yes! I would like to present recent examples. Mt. gox hadn't a department to respond security bugs. Bugs can really be expensive . Mt gox laid off(at least , it is what their website states) However similar kind of vendor coinbase is alive and strong, as it has one! Yahoo was breached several times before but after it launched the program , I haven't heard of it in quite a while!

You call that skid, a security researcher who actually runs a scanner , doesnt even know what the flaw means and reports it ?

Well , this is true to some extent. But how about this? The same goes for the companies as well. A skid gets a  $100 for reporting some random FPD. But A bug which could worth entire company's property and trust is rewarded 10,000$ by paypal 20k$ by google and 33,500$ by facebook. Is paypal just worth 10k$ ? 

So, I think basically the sides are even. One gets to the whitehat page with an vulnerability that would merely affect the server's CIA (confidentiality, integrity and Availability ) property and the other which could affect all the factors mentioned!

So, if they can pay very little (as compared to how devastating it could have been) , it is fair enough to report a xss. But what matters is, pasting payload on every search box you see without havin any knowledge of javascript doesn't train your mind in any way!

For an example , lets see this two findings by @joernchan in github

The two issues he reported:
2)2-factor authn. brute force

A severest possible bug is valued 5000$. Howver a 2-factor authn. which is merely an issue gets 1000$ because an attacker already needs to know the password of victim.

So for the first issue is reporter is in complete loss and for the second , the company is in loss.
So , I see the sides pretty evenly balanced with the great findings always suffering pretty much of losses!

Also, XSS always aint no skid stuff. Javascript experts actually see how each payloads are processed , which characters are blacklisted , which is being reflected and in overall, if the input is being validated and sanitized well. Bug bounty should be more than pasting payloads from your notepad to search forms!

Of course "money" will always be a driving factor in the field! It should be because a server side privilege escalation or an authentication bypass should always be on top priority than a xss bug. And the level of priority is shown by amount the company wills to spend to reward the researcher.

Moreover , viewed from one perspective , it is also about that "feeling" of  proudness for helping the community stay secure! Its always not about the money and shouldn't be!

Tuesday, April 2, 2013

Bruteforce facebook using python and dictionary

(This is not a facebook hack tool , in fact, a facebook hack tool doesnot even exist , please read carefully that it is just  a script in python to bruteforce facebook for educational purposes only)

Here is a way to bruteforce facebook password of any account . The tool is coded in python . You need to have Python 2.7.3 and mechanize (a python library) installed on your PC.

1)- To download Python in windows goto  (download 2.7.x version)
Linux machine come with python as preinstalled developer's tools.

2)- To install mechanize goto

just download zip if you are in windows and tar.gz, if you are running Linux machine.

3)-Now for windows, copy all files from C:/Python27 to C:/Windows/System32

Go to step 5 for linux

4)-Now goto directory of download mechanize in cmd . (the location where you extracted mechanize)

5)- Now run  python install cmd


Now YOU are ready to execute the program

Download the .py file from following link after skipping add

now just open the bruteforcer with idle . To open IDLE , just click 'windows' button and searh for 'idle'

Press Ctrl + N to open new window . To run the Program , Simply press F5.

You should obtain following output :

Happy cracking !!!

Warning : This Information is for educational purposes only!!! xD

Friday, February 8, 2013

Security and privacy issues in facebook photos due to graph search

Even though facebook graph search is an interesting feature recently added in facebook, for some people , the first impression has been 'creepy'

In graph search you can search terms like
'Movies that movie actors like'
'People going to watch today's soccer match'
'People who like wine '

and this would refer to someone totally unrelated to you except that in your search query .

Graph search promises to show only the contents that are publicly accessible to you. That implies same search will produce different results for different people.

Due to this feature , people totally unconcerned with you can find you in results . This can make it necessary to make everything private on your timeline ,  a fear of 'being shown on other people's ' search results.

So, if you are wanting your Facebook to be a private place for you , where no one you don't know bothers you , you'd better make every of your post and interests private in privacy settings of your account.
Posted on by Abhibandu Kafle | 1 comment