Posts

Showing posts from 2017

Unauthorised Accessing of Google Calendar Invites

Image
Unauthorised Accessing of Google Calendar Invites
Google Calendar, a common and very well known feature that everyone uses for scheduling and organising meetings within an organisation that uses "Google for Work".
The Bug! Failure to restrict the access to unauthorised personal.
Story, While scheduling a meeting with my work team to present a demo, I came across the functionality in Google calendar to add groups as guest. Once a group is added, Calendar will automatically expands the group and adds all members to the meeting. While doing so, it prompts the organiser if (s)he wants to send the meeting invites to the guest list.
Once the meeting is scheduled, all the meeting invitations will actually be sent from the user/organiser's mail account. That means, once you schedule a meeting, if you go and check your sent mail box, we can find all the meeting invites that were sent to all the guest.
Figure: sent mail box with target mail
So far, its just a feature. But once we o…

Account Compromise though brute forcing FB disavowed link - Multiple Subdomains

Image
Another bug in Facebook. This time on multiple subdomains of FB are found to be vulnerable to brute forcing.
Facebook is not limiting the attempts made to access disavowed page, resulting account take over by brute force.
Vulnerability Type : Missing rate limiting or anti automation measures Vulnerable Service : Facebook Disavow Vulnerable URL : https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY
Vulnerable Domains : All the following domains are found to be vulnerable with the same flaw.
www.facebook.com www.beta.facebook.com m.facebook.com m.beta.facebook.com iphone.facebook.com developers.facebook.com lookaside.facebook.com
Attack Scenario :
Assume victim has forgot his/her password and used the forgot password feature to reset his/her account password. Now facebook will send a password reset confirmation mail, which contains a link for incase if the password was actually reset by any attacker. Users can use this link to gain access to the account which was believ…