Leaking All Users Google Drive Files

-

 Hey All!

Long time no see. I decided to make some new blog posts about some of my top Google findings I have had over the years. I am hoping to write up more of these as kind of a continuous series over the next few weeks so stay tuned.

In this new post I am writing up an interesting find I had a few years ago that allowed you to gain access to another users Google Drive files. For those that do not know Google Drive is a file sharing service where you can upload word docs, PDF files, or any file for that matter and share it with other users. If the file is private or not meant to be shared with you then you would receive an access denied error. 

Today I am going to show you how it was possible to gain access to someone else's Google Drive files without being granted access to it :).  

Before I begin I do want to say the issue is fixed and Google VRP gave a nice bounty for it :D.

POC:

So before I begin going over this POC I need to explain a little back ground about Google Classroom. For those that do not know Google Classroom is a offering Google gives for teachers/students to collaborate in a classroom like environment. You can find it at classroom.google.com and the way it works is teachers can post announcements, assignments, grade papers etc. 

Now when a teacher posts an assignment on Google Classroom students then receive a page to submit their assignment to the teacher. This page looks like this for example:

A student would see the above page to submit an assignment to the teachers of the classroom for grading.

Now when submitting an assignment students had the ability to attach a file to the assignment. So lets say a student needed to attach a paper they wrote up for the class. They would attach their Google Drive DOC to the assignment and hit submit. 

Here is where the issue now comes into play. 

When a student would submit an assignment to the teacher Google Classroom had a process where it would then grant the teachers of the classroom ownership over the submitted document. This is needed because obviously the teachers would need to be able to read the document once a student submits it. 

Now when a student actually added a Google Drive file to their assignment this is the API request that would run:

POST /v7/writesubmission?_reqid=4786040&rt=j HTTP/1.1
Host: classroom.google.com

f.req=[[3],[[["18537069787",["46653220298",["41400909728"]]],[["18537069787",["46653220298",["41400909728"]]],null,null,null,[[null,null,"1h8tReWm8Cp6bsv24BwMlimFrJ3w1d7sdpxYHfUr1rgw",2,"application/vnd.google-apps.ritz",null,null,null,null,null,null,null,null,null,[null,2]]],null,[],null,null,null,null,null,null,null,null,null,null,null,[],[]],[null,true],[]]],[null,true,null,true,true,null,true,true,true,null,null,null,true,null,[true],null,null,null,true,true,true,null,null,null,[[true,true]],[[true,true]]]]

If we look closely you can see this value here:

 "1h8tReWm8Cp6bsv24BwMlimFrJ3w1d7sdpxYHfUr1rgw" This is the ID of the students Google Drive file for example being submitted for the assignment.

There was no proper RBAC checks going on to verify if you actually owned the Google Drive file being attached to the assignment. 

So now we know we can attach any Google Drive file to our assignment but will the Google Classroom back end grant me access to the file?

During first testing it did not grant me access. As a result at the time I thought the RBAC checks were working properly and it was more just a UI thing if anything. I was not able to gain access to the Google Drive file of my other account when simply changing the ID in the above request.

The bypass?

After some further digging there was a bypass that then fully worked. If you added the person you were targeting to your Google Classroom as a student/teacher you would then fully be able to now gain full access to their Google Drive file using the above request now. 

The flow here would then be:

1. Add the user you were targeting as a user to your Google Classroom and create an assignment in the Classroom.

2. Add another account as a student that you control to the classroom and sign into that account. 

3. As the student account that you signed in as submit an assignment and modify this request:

POST /v7/writesubmission?_reqid=4786040&rt=j HTTP/1.1
Host: classroom.google.com

f.req=[[3],[[["18537069787",["46653220298",["41400909728"]]],[["18537069787",["46653220298",["41400909728"]]],null,null,null,[[null,null,"1h8tReWm8Cp6bsv24BwMlimFrJ3w1d7sdpxYHfUr1rgw",2,"application/vnd.google-apps.ritz"

And put the ID of the Google Drive from the users Drive you are targeting that you added to the classroom in step 1.

4. Submit the assignment and you will now be able to access their entire Google Drive file and get ownership over it. 

That's it :)

Here is a video as well:

Mind the music as Google VRP likes music so I usually would add it.

If you have any questions please feel free to reach out to me on X:

Cam (@SecretlyHidden1) / X





Comments

Post a Comment

Popular posts from this blog

A Creative Way To Get Someones YouTube Videos Deleted + A Copyright Strike Against Their YouTube Channel

-
Image
Hey All! Welcome back to another blog post of a pretty interesting finding I submitted to Google. Since the last post got such good traction I will probably be posting another one this weekend or next week. Not sure what that type of write up will entail.  If you read the last post you probably saw how you could utilize a API in Google Classroom to leak other users Google Drive files. Google gave a nice bounty for it and fixed it very quickly. The traction that post received was amazing as well so thank you for that.  In this post I am going to show you a very interesting finding which could have resulted in you being able to delete another persons YouTube videos and even risk their entire channel getting deleted.  So lets begin! First a little bit of background on YouTube and copyright disputes.  I think most here know YouTube has a copyright process where if you upload a video using another persons music for example a content ID claim is put against your video. Now these are generall
Read more

Becoming A Super Admin In Someone Elses Gsuite Organization And Taking It Over

-
 Hello All! Long time since I have posted here :) As most of you know I am planning on writing up a lot of my research I have done through Microsoft Bug Bounty program over the years. Still trying to figure out exactly the best approach and reports to writeup. However in the mean time I will be providing some of my research from Google over the years. Microsoft and Google were the 2 main programs I hunted on over the years and Googles program resulted in some fruitful research as well :) So as a result today I present how it was possible to add yourself as a Gsuite Super Admin to someone else's Gsuite account. POC: So for those that do not know Gusite is a suite of products offered by Google for organizations and education institutions for example. It is similar to Microsofts offering of O365. Now in Gsuite the main admins of the organization are super admins. They are exactly what they sound like. Have Super Admin privileges over everything. They can create group, manage users, ch
Read more