Well well! After having been pretty busy with some university mid-term exams, I finally found some spare-time to dig deep into bug bounty programs. Some months ago, I contacted Google about an information disclosure vulnerability I found on their Google Ads application, which would have provided anyone with some interesting information about classes and components names of Google infrastructure. Obviously, that was not a critical vulnerability, but it was worth the time to share it with Google.

Technical Details

When uploading conversions file on Google Ads, the service /aw/conversions/uploads seemed to not properly manage application-layer exception and threw an error containing the entire stack trace of the operation. The stack trace listing could have provided the attacker with some sensitive information about the internal application environment such as the names of Java classes and methods invoked during the execution.

The problem was probably related to the parsing of the JSON request /api/adwords/bulksheet/upload/form/offline_conversion?authuser=0. When the JSON parameter authenticateUserId was empty, the request threw an explicit 500, leaking the entire stacktrace.

Timeline

  • 31 Jan. 2019 – Contacted Google Security Team regarding the bug
  • 31 Jan. 2019 – Bug was triaged
  • 4   Feb. 2019 – Google asked for more information about the bug
  • 15 Feb. 2019 – Google acknowledged the bug
  • 23 Feb. 2019 – Bug was fixed
  • 04 Apr. 2019 –  Bug was disclosed

 

Share it