This bug could have allowed an application to delete/write on user’s any of the file(s) in google drive, although the user permitted the application to access only those files that were created by the application.
For an instance, an application requiring access to files created by itself looks like:
According to google API documentation, after the user clicks allow, the app should only be able to access files that was opened/created using this app.
I went ahead and tried deleting a file that was in the user’s drive but wasn’t ever accessed/created by the application. Following is the request I sent to test this:
This was reported to google security team and has been fixed as of now.
Jun 5, 2015 – Reported.
Jun 5, 2015 – Triaged.
Jun 11, 2015 – Additional details sent.
Jun 26, 2015 – Fix confirmation, 1337$ bounty awarded.
Update: After Google fixed this issue, I was able to bypass the fix again. The bypass involved getting ‘drive.readonly’ permission along with ‘drive.file’ permission. ‘drive.readonly’ permission made everything in the user’s Google drive visible to the application and ‘drive.file’ could still be used to delete/modify other files in user’s Google drive.
The bypass has also been fixed by Google security team.