Sunday, August 3, 2014

I hate you, so I pawn your Google Open Gallery

Hi, long time no see. Quite busy with works and probably will not able to update too much in future.

Going to share with you guys another bug I found in Google.
The bug as shown below.
Google is currently open service port 80 and 443. These ports are exposing what kind of service they're using. This bug worth $10k. Ok. Just a joke. Lets be serious.

Last time I found a bug in one of Google's service, Open Gallery. Using this service, it allows a user to share their exhibition art stuff (sorta) and each of the exhibition will be given a specific URL at *.culturalspot.org domain. And, this domain cannot be changed once we saved the name.

I created two different account for Open Gallery.
  1. jablor.culturalspot.org (using attacker@gmail.com) -
  2. test333.culturalspot.org (using prakhar's_motorbike@gmail.com)
Both of the current state for its exhibition page as shown below.
jablor.culturalspot.org

test333.culturalspot.org         
 I have some revenge at prakhar's_motorbike@gmail.com, and luckily this guy currently selling his arts using Open Gallery (test333.culturalspot.org). Lets pawn his Open Gallery!

What I'm doing below shows that
  1. I run up my Burpsuite in my account and try to save my current setting.
  2. I trapped the request during the saving process and change my domain from jablor.culturalspot.org into my target's URL, test333.culturalspot.org
  3. What happen? His Open Gallery stuff changed into mine and his domain owned by me. He will see his domain as my content and the content itself will be controlled by me. :)
Trigger up Burp and change the domain

My original culturalspot will be non-exist as its already changed into victim's URL
Victim's culturalspot with my content :)


That's all guys. Have fun.
This was fixed by Google Team :)