Bug hunter earned $17k bounty for HelloSign bug
Implementation flaws in Google Drive integrations created server-side request forgery (SSRF) vulnerabilities in a variety of applications, a security researcher has revealed.
This included Dropbox’s digital signature platform, HelloSign, but “by far the finest” SSRF was achieved via CRLF and request pipelining in another, unnamed application, recounts bug bounty hunter Harsh Jaiswal in a GitHub write-up.
Jaiswal received a bounty award of $17,576 for a “pretty simple” but critical SSRF related to HelloSign’s Google Drive Docs export feature.
“By making use of an extra parameter in the Google Drive API, it was possible for researchers to force HelloSign to parse external JSON data which leads to an SSRF attack,” said Dropbox’s security team in a bug thread on HackerOne.
“We updated the parser to securely make a request which mitigates the vulnerability,” they added.
Jaiswal said the implementation issues arose in integrations that fetched files from the Google Drive API on the server side.
To demonstrate the concept, he outlined a scenario in which an application retrieves and renders an image file from Google Drive in a way that could give attackers control of the HTTP request made to googleapis.com via the file_id.
“This means we can do a path traversal and add query parameters,” explaned the researcher.
Jaiswal began the research in 2019 after speculating that he might be able to get an open redirect on Google APIs, but this turned out to be unviable.
However, he found another route to SSRF.
Because the alt=media parameter served the entire file rather than the JSON object, when the application parsed the JSON and extracted downloadUrl, attackers could gain control over downloadUrl.
A payload containing a malicious JSON object with the downloadUrl set to an attacker-controlled URL could then, depending on application logic, trigger a blind SSRF.
CRLF, request pipelining
The SSRF via CRLF and request pipelining was found on a private bug bounty program and related to how slides were imported from Google Drive.
The path traversal part of Jaiswal’s exploit worked but not the query parameters, the researcher found.
However, CRLF – denoting special character elements ‘carriage return’ and ‘line feed’ – applied to the authToken property, allowing him to control part of the request headers.
“Using this I was able to craft a new request to www.googleapis.com with my controlled query params using request pipelining,” said Jaiswal.
More to find
The researcher said most of the reported SSRFs have now been rectified, but that more could be lurking, undiscovered, in other applications.
“If there’s a custom implementation of [Google Drive] and no sanitization is done it could cause this bug,” he told The Daily Swig. “I'm pretty sure there are more apps still affected by this finding.