Detailed Technical Analysis of "Stealing $50,000 from Google"

Overview:
In this blog post, Landon promotes the technical details of a vulnerability discovered in Google’s web infrastructure, which could have allowed an attacker to steal $50,000. The vulnerability leveraged an unintended interaction between Google OAuth services and Google Ads/Billing endpoints, revealing a sophisticated chain of bugs that could exploit Google’s financial services through OAuth tokens.

Key Technical Details:

  1. Initial Discovery:
  2. Google OAuth Mechanism: OAuth is a protocol that allows third-party applications to grant limited access to users’ resources without exposing credentials. Tokens generated through this process can be used to access APIs.
  3. Google Ads API & Billing Details: The core of the attack was an OAuth token that, when paired with a misconfigured or poorly protected OAuth scope, allowed access to sensitive Google Ads and Billing endpoint data.

  4. Scope Manipulation:

  5. OAuth Scopes: OAuth tokens are tied to specific scopes which define what resources the token can access. In this case, the wrong combination of scopes allowed broader access than intended.
  6. Sensitive Scopes Identification: The researcher identified and manipulated scopes related to billing (https://www.googleapis.com/auth/adwords), which when misused, could lead to financial manipulation or sensitive data exposure.

  7. Endpoint Misconfiguration:

  8. Billing & Payments API: By exploiting the Google Billing API, the researcher could retrieve sensitive billing data, which included credit allocations.
  9. Request Manipulation: Crafting specific requests with the OAuth token, the attacker could exploit the billing endpoints to initiate or redirect financial operations.

  10. Exploitation Mechanism:

  11. API Requests: Constructing API calls to the billing endpoints using the OAuth token, exploiting the vulnerability to manipulate the account's billing information.
  12. Financial Impact: By potentially altering any billing or payment information, the attacker could have redirected funds or authorized unauthorized transactions, demonstrating the severity by the hypothetical $50,000 theft.

  13. Google’s Response:

  14. Bug Reporting: Upon identifying the issue, the researcher responsibly disclosed the vulnerability to Google.
  15. Patch Deployment: Google patched the configuration loophole in their OAuth scope management that allowed such unauthorized access, mitigating the risk of future exploits.
  16. Bounty Reward: Google’s Vulnerability Reward Program incentivized this level of detailed security research with a substantial $50,000 reward, signaling the critical nature of the vulnerability.

Key Takeaways:

Conclusion:

This case study illustrates a sophisticated approach to exploiting OAuth-related vulnerabilities to access and manipulate financial data on a major platform like Google. It highlights the critical need for comprehensive security practices in handling OAuth tokens and API interactions. The detailed process from discovery to patching ensures broader community awareness and emphasizes the success of responsible security disclosures.

For full details, check the original blog post here.