Account takeover on A Google Acquisitions apigee.com
So back in the summer I decided to get a HoF in Google cause it was my one of the most wanted Dreams.. So I started searching for new stuffs of Google then heard about Google acquisitions and thought to try my luck on one of the Google Acquisitions apigee.com .
First let me tell you about Google Acquisitions. Actually i am not telling you here about it if you want to Know about it visit this.
Back to the Topic!!
So after doing a Recon. I came to do manual testing and almost 10 min later I discovered a open redirect but the bad thing was that Google don't accept Open redirect and I was like...
this simple payload will redirect all the cookies to my server and store it in the log.txt .
(If any one want's the source code , then can ping me at Fb or twitter )
So at that time a point tackle in my mind to make it a account takeover.So i started searching for account takeover and read a same PoC as same as my condition but a bit different in that PoC there was no Open redirect just An XSS then cookie stealing and account takeover through replaying the cookies.
So I thought what's wrong with mee? I can also do this, and after Replaying the Cookies it logged me into my account.
My reaction was like........
Lesson learned :
Try to exploit a vulnerability instead of reporting it.
Your report triage 29/06/2017
same day Nice catch.... Got HoF
Got Duplicate 20/07/2017
After it I reported some more vulnerabilities to google and fix is in process.
Also I will disclose my Microsoft PoC soon here..
Sorry for my Bad English xD
Thanks for Reading
Hope you enjoy gyes..
Facebook , Twitter , Github , Email