A flaw in Google Groups has netted a security researcher $3,133 after he discovered that the unsubscribe feature could be abused to remove members without their consent.
More than 20 years old, Google Groups allows people to set up discussion groups with a common mail ID for members. Using this service, members of the group can send a single email that will then be posted in the group chat.
Members can automatically unsubscribe to the group by sending an email to, for example, ‘test_groups_one+unsubscribe@googlegroups.com’.
However, Sriram Kesavan, founder and director of security at India-based TG Cyberlabs, discovered that it was possible to trick the system into removing Google Groups members at will, without their knowledge.
His technique was to email the group and use the ‘reply-to’ feature, common to most mailing services, so that any reply would be sent to the unsubscribe email address and the member automatically removed.
Stealth removal
Using auto-forwarding allowed Kesavan to make the group removal process invisible to the user concerned.
Kesavan says he was able to use the technique to remove users from a Google Group he set up within his own company – and that Google itself uses the service as a Google Payment tracking system.
“I could have literally removed Google employees on several official groups, even if I have no access to it,” he tells The Daily Swig.
“This could have literally destroyed the Google Payment system flow, and could have caused delays on their internal payments.”
Retrospective bug bounty
When Kesavan reported the issue to Google, it was at first rejected as “intended behaviour”. With permission, he then submitted a full write-up, which won him the a $3,133.70 reward.
“Initially the person who was attending to my report was not given sufficient information from my side to decide and finalize it as a valid security issue,” he says.
“Later, when I decided to send a write-up which had all the information, they realized the impact of this issue and the team decided to patch this ASAP, so a quick and simple patch was applied in order to prevent users from exploiting it.”
A Google spokesperson said the company was unable to comment.
Source: https://portswigger.net/daily-swig/google-groups-unsubscribe-feature-abused-to-remove-members-without-consent