Monday, 24 November 2014

How I was able to send a mail with Your Email Id?

How I was able to send a mail with Your Email Id? Is it possible?

Yes. It is. If you are using Gmail, until yesterday, I can send email with your email id. Do u want to know how?

Read my story then....


Hi Friends,

This is Mohan Kallepalli, again with another bug in gmail...

Thanks to facebook, another day started with frustration. I will tell u that story another time. Anyway, with the frustration on facebook, i turned my focus to my favorite Google one more time. While I was going through the Gmail settings, thanks to my low speed internet, my browser suggested me to use "Basic HTML".

Once i opened my settings in Basic HTML, i went to Accounts section and there i saw the functionality for adding another users email id to your "send email as" list. This functionality is protected by a verification code authentication mechanism. which means, Gmail will send a verification code (9digits) to the target email id and you need to enter that code in your verification page to get the access.

Well, as like as any other tester, i tested the functionality with different wrong codes, then i came to know that the verification code is not expiring untill you use it successfully or a new code is generated again.

So i tried to brute force the last 3digits first. Infact i thought, i'll be locked out if i try multiple times. But to my surprise, after a 216 attempts, i saw different server response for all the requests, with "no error message".

When i refreshed my settings page, i saw the target email was successfully added to my settings. Now all i need to do is, make your email as my default reply address and send mails.....

I tested the issue for last 5digits of the 9, with 5200 requests and broke it. In the same way it is possible to break all the 9digits too with reasonable resources

You can view the same on the following video if you like...



Suggestions and Queries/Corrections are always welcome...

Tuesday, 18 November 2014

Youtube URL Redirection..

Hi Guys,

Another bug in Google.. This time is with youtube.com

Hmm.. Found a bug in Youtube.. but unfortunately, this bug is out of scope.. Anyway, a bug is a bug.. Lets see..

The issue is an URL redirection vulnerability that existing in upload.youtube.com. When you upload a video which is not proper (invalid), the application redirects you to error URL. This URL is being sent to the server as a parameter, error_redirect. I tried changing the url to some random domain, and guess what, it redirected as i have uploaded an invalid video.

Then, in the request i observed there are two user specific tokens going to the server. They are nothing but anti-csrf tokens and working properly with a valid video. But in the case of an invalid video, they are no longer validated and are being ignored. So i tried to send the request with invalid file, but this time i removed the user specific tokens user_token and session_token. And as i expected, the application issued an 302 redirection to the url in error_redirect parameter.

So finally, i got a URL Open Redirection vulnerability in Youtube. Unfortunately, the bug is out-of-scope. But they fixed the bug nevertheless, by accepting all videos to the processing stage without validating the video.

A video presentation for the same can be found here...


Suggestions and Queries/Corrections are always welcome...