Pages

Saturday, March 19, 2011

Get blogger Admin Access

Nir.Goldshlager participated in Google reward program and found some High, Serious vulnerabilities. The vulnerability that Nir.Goldshlager want to share first, Is a critical vulnerability in Blogger (Google Service). That vulnerability could be used by an attacker to get administrator privilege over any blogger account (Permission Issue).

Here are the steps for getting admin control permissions over any blogger accounts.

1.) The attacker Use the invite author options in blogger (add authors):

Vulnerability location:

POST /add-authors.do HTTP/1.1
Request:


security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)

The server checks the first blogid value and executes the second blogid value of the attacker


2.) After that the attacker receives a mail to confirm him as a author (author invitation link) , After that, the attacker will be added as an author on the victim account.

3.) At this step it becomes possible to modify the attacker permission from an author to an administrator,
Vulnerability Location:
POST /team-member-modify.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges


as you can see there is Another field in this request called memberID.

Any users in blogger have a memberID value, so the attacker also need to provide his memberId value in this post request.In Blogger service, any Administrator, Author have a memberid value, So to make a successful attack (become administrator), an attacker must add himself first as a author on the victim account, To perform the next step that will add himself as an administrator on the victim account.

2 comments:

  1. For one blogger account, How many admin control permissions are possible?

    ReplyDelete
  2. You can add upto 100 authers to one blogger account ...!!

    ReplyDelete