Unauthorised Accessing of Google Calendar Invites

Unauthorised Accessing of Google Calendar Invites


Google Calendar, a common and very well known feature that everyone uses for scheduling and organising meetings within an organisation that uses "Google for Work".

The Bug!
Failure to restrict the access to unauthorised personal.

Story,
While scheduling a meeting with my work team to present a demo, I came across the functionality in Google calendar to add groups as guest. Once a group is added, Calendar will automatically expands the group and adds all members to the meeting. While doing so, it prompts the organiser if (s)he wants to send the meeting invites to the guest list.

Once the meeting is scheduled, all the meeting invitations will actually be sent from the user/organiser's mail account. That means, once you schedule a meeting, if you go and check your sent mail box, we can find all the meeting invites that were sent to all the guest.

Figure: sent mail box with target mail

So far, its just a feature. But once we open any meeting invite from sent mail folder, the invitation contains a link which actually generated for the target user to open.

Figure: sent mail with hardcoded link

But since, we already have the link with us, if we open it in browser, we can actually perform the actions designated for the target user. That means, we can approve/reject the invitations.

Figure: link page with target user's options

Figure: link page with target's post accept message

Once we perform any action from the link, all the actions will be reflected from the target user;s mail account. Which means, if you accept/reject the invitation, there will be a mail sent from target mail account to your account automatically saying accepted/rejected the invitation.

Figure: mail received from target's account

Also, it is observed that these links will never expire, hence you can always modify your/someone else's actions.

Conclusion!
Now we can invite anyone and approve or reject their calendar invite without their consent. In other words, you can schedule a meeting with your CEO and make him accept the invite, whenever you wanted.

Responsible Disclosure!

  • Issue is reported to Google VRP
  • Issue marked as expected behaviour; won't fix?

Video PoC?
since the issue is effecting Google for Work calendar, it is difficult to provide a video POC openly without disclosing sensitive information on the mail box.

Since the issue is a "Won't Fix" from google side, you can always go and try your self (at your own risk though).

Comments

  1. Testere30 August 2018 at 17:39

    This comment has been removed by the author.

    ReplyDelete
  2. Anika16 November 2018 at 05:58

    Great that you described it
    Call girls London

    ReplyDelete
  3. Melissa17 February 2019 at 18:02

    Hello everyone, I just got my Business instagram account verified, I am so happy I met Mr James. I saw a recommendation about him and I contacted him. He helped me in getting my account verified, he was trustworthy and reliable. If you need help in hacking or getting your instagram account verified, I suggest you contact him (worldcyberhackers) through Gmail or WhatsApp: +12678773020

    ReplyDelete
  4. Asthprash22 October 2019 at 22:58

    great blog
    asthprash Effective in healthy movement of gases through the digestive system.
    www.asthprash.com


    ReplyDelete

Post a Comment

Popular posts from this blog

Multiple Vulnerabilities in eFront CMS v3.6.15.4

Image
Hi friends, I am back with Three stories Today. There are multiple critical bugs effecting the e-front, one of the Top 10 e-learing cms available, version 3.6.15.4 build 18023. The details are as follows. Directory Traversal       ( CVE : 2015-4461 ) Local File Inclusion      ( CVE : 2015-4462 ) Bypass for Blocked extension file uploads      ( CVE : 2015-4463 ) About the e-front:   E-front is one of the Top 10 e-learning cms available free on the market till date. A small description from the vendor's site: "The core of eFront is distributed as an open-source project. We have created a superior training product and we are not afraid to let you try it! The open-source edit of eFront will cover a wide range of your needs. If you are looking for a specialized solution then take a look at different efront editions ." The Issues are fixed as part of new release, efront v3.6.15.5 build 18024. You can find the chan...
Read more

Cross Site Scripting through callback functionality

Image
Hello Guys, Today i would like to share a Cross Site Scripting Vulnerability that was existing in JSON/AJAX callback functionality. I found this vulnerability a few days back, but as the bug is fixed now, i'd like to share the story. The vulnerability is existing in the forgot password functionality. The forgot password functionality uses an ajax based request/response mechanism within the login page. While testing the application, i observed that the application is using a callback function to render the response into the application. This callback function name is being passed as a GET parameter. With a little analysis, i found that the callback parameter is vulnerable to Cross Site Scripting vulnerability. So i extracted the forget password request and crafted a GET based URL request with a simple XSS payload as the callback value. https://www.DUMMY-WEBSITE.com/users/ajaxonforgotpassword.php?callback=<script>alert(document.cookie)</script>...
Read more

How I could Delete Instagram Captions and Comments that are not mine,.....

Image
Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB . Instagram Web and mobile Applications For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature. request without a signature Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected. So while testing with both the App and Browser together, I realised that there is an authorisation ...
Read more