Here is the concise procdure for getting admin control permissions over any blogger account.
1. The attacker Use the invite author options in blogger (add authors):
POST /add-authors.do HTTP/1.1
As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)
The server checks the first blog-id value and executes the second blog-id value of the attacker.
2. After that the attacker receives a mail to confirm him as a author (author invitation link as we invite someone for our blog to post articles as author), After that, the attacker will be added as an author on the victim account.
3. At this step it becomes possible to modify the attacker permission from an author to an administrator,
POST /team-member-modify.do HTTP/1.1
as you can see there is Another field in this request called memberID,
Any users in blogger have a memberID value, so the attacker also need to provide his memberId value in this post request, In Blogger service, any Administrator, Author have a memberid value, So to make a successful attack (become administrator),an attacker must add himself first as a author on the victim account, To perform the next step that will add himself as an administrator on the victim account.Thus now attacker will revoke administrator priviliges from the victim and will enjoy the blog.
To watch video presentation of this hack, Go here.
Note: This was reported by Nir.Goldshlager to google team and thus this vulnerability has been patched. I found this interesting therefore sharing here at Hackers Thirst.
Source of News:
Tags: Hacks, Vulnerability