Broken Access: Posting to Google private groups through any user in the group
(My main goal in this post is to show tricks for bug hunters, today I’m showing Email Spoofing)
These days I reported a bug in Google Groups to Google, but received the following response:
“Thanks for reporting! We think the issue might not be severe enough for us to track it as a security bug.”
So I decided to share this trick with you, I think it can be useful for some people.
*Remembering that the “Bug” has not been fixed.
Google Groups allows you to create and participate in online forums and email-based groups with a rich experience for community conversations.
To create a group we need to fill in some information.
1- Group Name (Ex: testpocgoogle)
2- Email of the group (Ex: firstname.lastname@example.org)
3- Description of the group
And also some basic permissions (Ex: Only members of the group can post something [Standard])
When posting something in the group, all users receive feedback in the email, containing the content of the post,
in this email we also found some kind of “help” from Google groups.
Among them “To post to this group, send email to email@example.com.”
Let’s cite as an example the user “elbtests acc - firstname.lastname@example.org”, he is in the group, so he can make and comment posts.
Hacker knows that this user is in the group but does not have access to his account (Acc email@example.com).
Knowing that posts can be made via email, the hacker decides to try Email Spoofing.
Email spoofing is the creation of email messages with a forged sender address.
To perform this “Attack” I used the site emkei.cz.
By filling in the correct information and submitting the request, the group admin will receive the post marked
as if it had been made by the actual user of the group, but with those settings I saw that she was falling into Spam.
Bypass the spam filter.
To make the post fall directly into the group, I used an SMTP server of my own with some more settings that they should not have on the site I used.
(like SPF and dkim with 2048 key, since 1024 usually went to spam in some tests)
[Video Demoted at the beginning of the post]
Now we can see that the email was not marked as spam, and was posted directly in the group by my user, and for this I just needed the email, no passwords or 2FA bypass.
And the email with the content of the post was sent to the email of the users that follow that group.
(in the video we can see a notification in the tab of gmail after the POST in the form has been sent.)
In addition to posting, the hacker can also unsubscribe from the user in that group.
The posting made by the hacker stays in the victim’s logs if she logs in to your profile and sees your “Recent Activities” post that she did not do
will be there.
If the Admin sees the email in the Spam tab, or in the group itself and clicks ban user, the user “victim” will be banned without doing anything.
Google hides users’ email, but they can be found in your gmail when you receive feedback from posts.