Unauthorised Accessing of Google Calendar Invites

Unauthorised Accessing of Google Calendar Invites
Google Calendar, a common and very well known feature that everyone uses for scheduling and organising meetings within an organisation that uses "Google for Work".
The Bug! Failure to restrict the access to unauthorised personal.
Story, While scheduling a meeting with my work team to present a demo, I came across the functionality in Google calendar to add groups as guest. Once a group is added, Calendar will automatically expands the group and adds all members to the meeting. While doing so, it prompts the organiser if (s)he wants to send the meeting invites to the guest list.
Once the meeting is scheduled, all the meeting invitations will actually be sent from the user/organiser's mail account. That means, once you schedule a meeting, if you go and check your sent mail box, we can find all the meeting invites that were sent to all the guest.
Figure: sent mail box with target mail
So far, its just a feature. But once we o…

Account Compromise though brute forcing FB disavowed link - Multiple Subdomains

Another bug in Facebook. This time on multiple subdomains of FB are found to be vulnerable to brute forcing.
Facebook is not limiting the attempts made to access disavowed page, resulting account take over by brute force.
Vulnerability Type : Missing rate limiting or anti automation measures Vulnerable Service : Facebook Disavow Vulnerable URL :
Vulnerable Domains : All the following domains are found to be vulnerable with the same flaw.
Attack Scenario :
Assume victim has forgot his/her password and used the forgot password feature to reset his/her account password. Now facebook will send a password reset confirmation mail, which contains a link for incase if the password was actually reset by any attacker. Users can use this link to gain access to the account which was believ…

Instagram - Account Compromise through Password brute forcing

Instagram application is not validating the number of requests made to login into user account, which made it possible to brute force the password of any Instagram user Account.
Issue reported to Facebook through their whitehat program, but unfortunately I am not the first one to do so. So the report was made duplicate and the issue is found to be fixed in few hours.
While brute-forcing, the application throughs an error in the response body, but sets an authenticated session cookie. So, once we refresh, the browser uses the newly set cookie and establishes logged in browsing session. The following is a video demonstrating the same (post brute force action, not the actual brute force).

Cross Site Scripting and URL redirection ...

Hi Guys,

Almost 2 years back I found a cross site scripting and a Dom based Open Url redirection bugs on a certain web site. Since the issues are still not patched, even after 2 years, I have decided to write a blog on them.

Cross Site Scripting: As per owasp, "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it."
While testing, I ended up working on the support page pointing to . After playing around the site, I found that it is vulnerable to the reflected cross site scripting on the following url.…

How I could Delete Instagram Captions and Comments that are not mine,.....

Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB.

For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature.

Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected.
So while testing with both the App and Browser together, I realised that there is an authorisation flaw in the comment deletion action. But it requires certain comment ID values, which are (supposed to be) n…

Multiple Vulnerabilities in eFront CMS v3.6.15.4

Hi friends,

I am back with Three stories Today. There are multiple critical bugs effecting the e-front, one of the Top 10 e-learing cms available, version build 18023. The details are as follows.
Directory Traversal       (CVE : 2015-4461) Local File Inclusion      (CVE : 2015-4462) Bypass for Blocked extension file uploads      (CVE : 2015-4463) About the e-front: E-front is one of the Top 10 e-learning cms available free on the market till date. A small description from the vendor's site:

"The core of eFront is distributed as an open-source project. We have created a superior training product and we are not afraid to let you try it! The open-source edit of eFront will cover a wide range of your needs. If you are looking for a specialized solution then take a look at different efront editions."
The Issues are fixed as part of new release, efront v3.6.15.5 build 18024. You can find the change log here

Point of the Story:
e-front has a wide range of security pr…

How I was able to send a mail with Your Email Id?

How I was able to send a mail with Your Email Id? Is it possible?

Yes. It is. If you are using Gmail, until yesterday, I can send email with your email id. Do u want to know how?

Read my story then....

Hi Friends,

This is Mohan Kallepalli, again with another bug in gmail...

Thanks to facebook, another day started with frustration. I will tell u that story another time. Anyway, with the frustration on facebook, i turned my focus to my favorite Google one more time. While I was going through the Gmail settings, thanks to my low speed internet, my browser suggested me to use "Basic HTML".

Once i opened my settings in Basic HTML, i went to Accounts section and there i saw the functionality for adding another users email id to your "send email as" list. This functionality is protected by a verification code authentication mechanism. which means, Gmail will send a verification code (9digits) to the target email id and you need to enter that code in your verification pag…