Google did an Oopsie: a simple IDOR worth $3,133.7

Tl;dr: Sometimes the bounty is hidden in plain sight — a simple IDOR by changing the Google Drive file ID. Blocked by login/pay wall? Read for free here : (https://c2a.github.io/simple-idor-on-google)

…

Pssst… I am now part of SysBraykr, an offensive security company from Asia. Go check out our website if you want to meet a bunch of interesting people in the cybersecurity field (like me! :)).

…

Back in 2019, when I had just started learning about hacking and bug bounty hunting, I had this dream of being in Google’s Hall of Fame.

I mean, their products are everywhere — billions of people use them every day — so I thought it would be awesome to be one of the recognized people who helped make it safer for everyone. Back then, there weren’t that many people doing it.

So, I randomly chose one of their products and started hunting. As expected, it wasn’t that easy. Days went by, and nothing came up. I started to think maybe I wasn’t ready for this and should go for an easier target. But then, I decided to switch to a considerably less famous product of Google : REDACTED.google.com.

After reading their documentation on developer.google.com to understand the functionality, I began my hunt. On one occasion, I actually found an XSS vulnerability, but it triggered on a properly sandboxed domain (*.googleusercontent.com), which is intended behavior and not a valid bug according to their rules.

That was until I stumbled upon a feature where we could import a file from Google Drive (and it worked perfectly). When I intercepted the request using my lovely Community Edition Burp Suite, I noticed that it was using the drive file ID in the post parameter docId to identify which drive file we chose.

I noticed that the docId is present in the Google Drive file URL, something like this:

https://drive.google.com/open?id=18TrUTt3SI3fmKNut8SREDACTED

It returns a JSON response with a token and the title of the file we picked. I sent it to the repeater and started to play with the request. A crazy thought suddenly crossed my mind — what if I used someone else’s file? A private one?

For those who don’t know, we can make a file private on Google Drive by changing the permission settings. If other people want to access it, they have to request access from the owner.

So, I created a private file on my other account and put the ID in the docId parameter. And surprisingly, it worked! The server returned a 200 response along with the token and file name, even though the requester shouldn’t have had access to the private file.

I reported this bug straight away. The next day, they triaged the report and escalated it from P4 all the way to P2. Two days later, I got the beloved “Nice Catch!” catchphrase.

At that time, although the bounty decision was still in discussion, my name had already been carved into their “Honorable Mention” page (not Hall of Fame, not yet). I honestly didn’t expect to get a bounty reward, considering this was a fairly simple, low-hanging fruit bug. I needed to know the file ID to exploit it, which is a fairly unique, long, random token, AND I could only go as far as knowing the file name and file type.

But I think they take security very seriously (or maybe they found something worse internally — who knows ¯_(ツ)_/¯). Because, surprisingly, three weeks later, I got an update saying my report was worth $3,133.70. Damn, they’re crazy (in a good way, of course ❤).