How I was able to send Authentic Emails as others — Google VRP [Resolved]

Well I went back to Google VRP after 3 months to rank up on the Hall of Fame. And Google Cloud caught my attention and I decided to hunt bugs there.

NOTE: This isn’t my usual complicated write-up, but this is about a simple and clean logical vulnerability that I found on Google Cloud product which I wanted to share here.

I went through Google Cloud and one product got my attention. It had a form to enroll as a partner it had a simple contact form to send a mail to the respective organization.

At first this contact form did not draw my much attention instead I found a couple of IDOR’s on the application which was reported to Google VRP and resolved ( Write-up will be shared soon )

Then the contact form totally got my attention when I found something suspicious on the request.

I found four parameters on the request, they were

“PartnerEmail”: ”Destination Partner Email”

“userName”: “My Username”

“userEmail”: “My Email”

“userRequest”: “My Message”

I tried Server Side Injection on the userRequest parameter but had no luck. But It was vulnerable to HTML Injection. When I sent userRequest as <img src=“test.png”> the image got reflected on the mail.

But Google isn’t gonna accept HTML Injection until it cannot be escalated to XSS. I couldn’t fire up a XSS or test for SSRF coz, it had a Cloud-flare at the back-end which literally blocked all my XSS payloads.

And then I tried replacing the partner Email to “admin@google.com” and forwarded the request. I had no belief that I will receive a email but to my surprise I received a email. Just like “admin@google.com” sent a mail with my message included on the form.

Wait, whaaat?!

No blocking mechanism, Passed the Spam filter without any issues and the most important thing is Google Magic automatically marked the email as Important. And I was even able to send emails as any gmail user.

userEmail parameter can be also replaced with any email, which means I can send emails as Donald Trump to Kim Jong-un without exposing my identity.

I can send emails as any person to even fire an employee from a organization and even send emails for phishing or other possible attacks. On the other hand it can be used as a mail box to roll out massive email campaign without any issues and without spending a single penny, coz they are right from Google Systems and even singed by google.com and since the message parameter was vulnerable to HTML Injection it was even more possible to send emails with more authenticity by adding images and href tags.

I quickly reported the issue to Google and issue was accepted and resolved within 48 hours :)

Write-ups on the IDOR vulnerabilities I found on Google Cloud will be published once issues gets resolved ! Stay Tuned !!

Well if you love this write up drop a clap 👏, let’s connect then:

Twitter: sriramoffcl

Instagram: sriram_offcl

LinkedIn: sriramkesavan

Donate: https://paypal.me/sri123

Peace ✌️ !!!