Modifying/Deleting google drive files

This is a short write up of a bug in OAuth 2.0 implementation of Google API.

This bug could have allowed an application to delete/write on user’s any of the file(s) in google drive, although the user permitted the application to access only those files that were created by the application.

 For an instance, an application requiring access to files created by itself looks like:

According to google API documentation, after the user clicks allow, the app should only be able to access files that was opened/created using this app.

I went ahead and tried deleting a file that was in the user’s drive but wasn’t ever accessed/created by the application. Following is the request I sent to test this:

The response was 204 No content. I checked the file in my drive, the file was no longer there.
This meant any application that had drive.file permission(i.e the permission to see only those files that were created by the app itself) could have been abused to access private files of user. Not only this allowed an attacker to read all the files on your drive, but also an attacker could modify/delete those files.

This was reported to google security team and has been fixed as of now.

Jun 5, 2015 – Reported.
Jun 5, 2015 – Triaged.
Jun 11, 2015 – Additional details sent.
Jun 26, 2015 – Fix confirmation, 1337$ bounty awarded.

Update: After Google fixed this issue, I was able to bypass the fix again. The bypass involved getting ‘drive.readonly’ permission along with ‘drive.file’ permission. ‘drive.readonly’ permission made everything in the user’s Google drive visible to the application and ‘drive.file’ could still be used to delete/modify other files in user’s Google drive.

The bypass has also been fixed by Google security team.

309 Words

Stored XSS on facebook and twitter!


I and my colleague Prakash were testing random stuffs to find a target that would be worth looking into. We found a new feature on Facebook which allows a user to visit the website of page-owner.

The “Shop-now” feature looked interesting with different restrictions for different input fields.
The app-link field caught my eyes, because “deep-link” URL had particularly idiosyncratic example :

The field was sanitized for special characters like < , “, ‘ , > and didn’t allow any tags to enter. The output for such characters would be:

I thought of trying ()  . Surprisingly, they weren’t being sanitized, and of course : wouldn’t be filtered for sure because it would always be used in a URL. I still wasn’t sure if any javascript would be executed. I saved the details to test it out with the applink as javascript:alert(document.domain).

But then I realized I was only couple of clicks to see if the test was successful. In, under the “shop now feature” was the script being stored. and then,

(Detailed exploit scenerio is shown in video)

Script was straightforward inserted into “a href” tag and anyone clicking on the button link would be exploited.

Now, along with client side filtering, it doesn’t execute the script even if you managed to circumvent the client side protection in some way.

A very similar endpoint existed in twitter, too. You could define the action of a button click by yourself

but more on that later.

Both vulnerabilities have been patched by respective security teams.


Thanks for the read!

273 Words

How I hacked your unverified facebook accounts !

Here’s a little write-up on how I was able to delete any unverified account in facebook. By unverified, I mean those accounts who didnot yet verify their email address linked to facebook.
All (or most) of my bugs have been authentication related to many vendors, this was no different.

Here is how I did it:

There is(was , now) this sign up function, which lets you create new facebook account. The twist is, when you use a facebook account that already has an account in facebook (with its email unverified), the response you get is :

When clicked on the “Insert the confirmation code instead” it lets you enter 5-digit number only code. Pretty simple , eh?

Lets generate a dictionary from 00000 to 99999

#!/usr/bin/env python

def add_zeros(end,tot):
while (len(zeros)<(len(tot)-len(end))):
return zeros+end

path=raw_input(” where do you want to store your dictionary file. eg. D:\derp\foo.txt “)
for i in range(0,loop_range):

for i in range(0,nine+1):
if len(j)<len(nines): j=”add_zeros(j,nines)” number=”code+j+’\n'” fob.write(number) fob.close() print ‘generated and saved!’

Bruteforce facebook using python and dictionary


(This is not a facebook hack tool , in fact, a facebook hack tool doesnot even exist , please read carefully that it is just  a script in python to bruteforce facebook for educational purposes only)

Here is a way to bruteforce facebook password of any account . The tool is coded in python . You need to have Python 2.7.3 and mechanize (a python library) installed on your PC.

1)- To download Python in windows goto  (download 2.7.x version)
Linux machine come with python as preinstalled developer’s tools.

2)- To install mechanize goto

just download zip if you are in windows and tar.gz, if you are running Linux machine.

3)-Now for windows, copy all files from C:/Python27 to C:/Windows/System32

Go to step 5 for linux

4)-Now goto directory of download mechanize in cmd . (the location where you extracted mechanize)

5)- Now run  python install cmd


Now YOU are ready to execute the program

Download the .py file from following link after skipping add

now just open the bruteforcer with idle . To open IDLE , just click ‘windows’ button and searh for ‘idle’

Press Ctrl + N to open new window . To run the Program , Simply press F5.

You should obtain following output :

Happy cracking !!!

Warning : This Information is for educational purposes only!!! xD

227 Words

Security and privacy issues in facebook photos due to graph search


Even though facebook graph search is an interesting feature recently added in facebook, for some people , the first impression has been ‘creepy’

In graph search you can search terms like
‘Movies that movie actors like’
‘People going to watch today’s soccer match’
‘People who like wine ‘

and this would refer to someone totally unrelated to you except that in your search query .

Graph search promises to show only the contents that are publicly accessible to you. That implies same search will produce different results for different people.

Due to this feature , people totally unconcerned with you can find you in results . This can make it necessary to make everything private on your timeline ,  a fear of ‘being shown on other people’s ‘ search results.

So, if you are wanting your Facebook to be a private place for you , where no one you don’t know bothers you , you’d better make every of your post and interests private in privacy settings of your account.

164 Words