• Google Authenticated Open Redirect




    Hello Guys!

    While Testing Google Security.I found Authenticated Open Redirect Vulnerability as Google Not Accept Open Redirects so It was not accepted so i decided to share this Unpatched Bug With You.

    Description:-

     https://appengine.google.com/ is a Website That Redirect the App Login to User Website which is Created on

    https://console.cloud.google.com/projectselector/appengine?src=ac&pli=1 This Website Redirect Form Through https://appengine.google.com/_ah/conflogin?continue=http://www.hackerwahab.com 

    Via Google Account Login.So if We Change www.hackerwahab.com to Any Malicious website open Redirect Works.



    Steps to reproduce:
    1.go to
    https://accounts.google.com/
    ServiceLogin/signinchooser?continue=https://appengine.google.com/_ah/conflogin?continue=http://www.hackerwahab.com/members&service=ah&ltmpl=gm&flowName=GlifWebSignIn&flowEntry=ServiceLogin
    2.Change www.hackerwahab.com with any malicious Site.
    3.Login With Google account Open Redirect Works

    Browser/OS: All

    Attack Scenario:-

    The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.


    Video PoC:-

  • 0 comments:

    Post a Comment

    Powered by Blogger.