Google Groups unsubscribe feature abused to remove members without consent

2 years ago 143
BOOK THIS SPACE FOR AD
ARTICLE AD

Emma Woollacott 23 February 2022 at 11:52 UTC
Updated: 23 February 2022 at 11:57 UTC

‘This could have destroyed the Google Payment system flow,’ security researcher tells The Daily Swig

Google Groups unsubscribe feature abused to remove members without consent

A flaw in Google Groups has netted a security researcher $3,133 after he discovered that the unsubscribe feature could be abused to remove members without their consent.

More than 20 years old, Google Groups allows people to set up discussion groups with a common mail ID for members. Using this service, members of the group can send a single email that will then be posted in the group chat.

Members can automatically unsubscribe to the group by sending an email to, for example, ‘test_groups_one+unsubscribe@googlegroups.com’.

DON’T MISS Jaw-dropping Coinbase security bug allowed users to steal unlimited cryptocurrency

However, Sriram Kesavan, founder and director of security at India-based TG Cyberlabs, discovered that it was possible to trick the system into removing Google Groups members at will, without their knowledge.

His technique was to email the group and use the ‘reply-to’ feature, common to most mailing services, so that any reply would be sent to the unsubscribe email address and the member automatically removed.

Stealth removal

Using auto-forwarding allowed Kesavan to make the group removal process invisible to the user concerned.

Kesavan says he was able to use the technique to remove users from a Google Group he set up within his own company – and that Google itself uses the service as a Google Payment tracking system.

Read more of the latest hacking news from around the world

“I could have literally removed Google employees on several official groups, even if I have no access to it,” he tells The Daily Swig.

“This could have literally destroyed the Google Payment system flow, and could have caused delays on their internal payments.”

Retrospective bug bounty

When Kesavan reported the issue to Google, it was at first rejected as “intended behaviour”. With permission, he then submitted a full write-up, which won him the a $3,133.70 reward.

“Initially the person who was attending to my report was not given sufficient information from my side to decide and finalize it as a valid security issue,” he says.

“Later, when I decided to send a write-up which had all the information, they realized the impact of this issue and the team decided to patch this ASAP, so a quick and simple patch was applied in order to prevent users from exploiting it.”

A Google spokesperson said the company was unable to comment.

YOU MIGHT ALSO LIKE AirTag clone bypassed Apple’s tracking-protection features, claims researcher

Read Entire Article