After learning about Google's bug bounty program, I decided to look for vulnerabilities on their most sensitive services. Finding a vulnerability on admin.google.com was challenging; I managed to find a simple, but interesting form of Cross-Site Scripting.
Proof of Concept:
admin.google.com is a part of Google Apps service where you are able to configure permissions, users, and Google Services for your domain. This is a feature primarily used by businesses, especially ones that are using Gmail as the e-mail service for their domain.
This attack allows you to force a Google Apps admin to execute any request on the admin.google.com domain. Some things that are possible:
Forcing the admin to ...
- Create new users with any permission level that you want, such as a super admin.
- Disable security settings for individual accounts or for multiple domains. This includes removing two-factor authentication (2FA) from accounts.
- Modifying domain settings so they point to your domain/dns, therefore all incoming emails to that domain are redirected to you instead.
- Hijack an account/email by resetting the password, disabling 2FA, and also removing login challenges temporarily for 10 minutes.
- Discovered and reported: 9/1/14
- Acknowledged: 9/5/14
- Fixed: 9/18/14