Well well! After having been pretty busy with some university mid-term exams, I finally found some spare-time to dig deep into bug bounty programs. Some months ago, I contacted Google about an information disclosure vulnerability I found on their Google Ads application, which would have provided anyone with some interesting information about classes and components names of Google infrastructure. Obviously, that was not a critical vulnerability, but it was worth the time to share it with Google.
Technical Details
When uploading conversions file on Google Ads, the service /aw/conversions/uploads seemed to not properly manage application-layer exception and threw an error containing the entire stack trace of the operation. The stack trace listing could have provided the attacker with some sensitive information about the internal application environment such as the names of Java classes and methods invoked during the execution.
The problem was probably related to the parsing of the JSON request /api/adwords/bulksheet/upload/form/offline_conversion?authuser=0. When the JSON parameter authenticateUserId was empty, the request threw an explicit 500, leaking the entire stacktrace.
POST /api/adwords/bulksheet/upload/form/offline_conversion?authuser=0 HTTP/1.1 Host: ads.google.com Connection: close Content-Length: 198 Origin: https://ads.google.com X-Goog-Upload-Protocol: resumable User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 Content-Type: application/x-www-form-urlencoded;charset=UTF-8 X-Goog-Upload-File-Name: output.csv.xlsx X-Goog-Upload-Content-Length: 64126 X-Goog-Upload-Command: start Accept: */* X-Client-Data: xxxxxxxxxxxxxxxxxxxxxxxx Referer: https://ads.google.com/aw/conversions/uploads?ocid=xxxxxxxxxxxxx&__c=xxxxxxxxxxxxxxxxx&authuser=0&__u=1144838640 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,it-IT;q=0.8,it;q=0.7 Cookie: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx {"customerId":"xxxxxxxxxx","userId":"xxxxxxxxxxx","authenticatedUserId":"","uploadMode":"LIVE","uploadFileName":"whatever","__Internal__UploadSource":"AWN","contains_store_sales_transaction":"false"}
HTTP/1.1 500 Internal Server Error X-GUploader-UploadID:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx X-Goog-Upload-Status: final Content-Security-Policy: default-src 'none'; report-uri https://csp.withgoogle.com/csp/scotty/2; Content-Length: 25695 Date: Mon, 04 Feb 2019 16:03:30 GMT Server: UploadServer Content-Type: text/html; charset=UTF-8 Alt-Svc: quic=":443"; ma=2592000; v="44,43,39" Connection: close InternalApiError.UNEXPECTED_INTERNAL_API_ERROR @ xxxxxxxxxxxxxxxxxxxxxx(InternalApiErro; stackTrace: java.lang.NullPointerException .................................. .................................. .................................. ..................................
Timeline
- 31 Jan. 2019 – Contacted Google Security Team regarding the bug
- 31 Jan. 2019 – Bug was triaged
- 4 Feb. 2019 – Google asked for more information about the bug
- 15 Feb. 2019 – Google acknowledged the bug
- 23 Feb. 2019 – Bug was fixed
- 04 Apr. 2019 – Bug was disclosed