This is a short write up of a bug in OAuth 2.0 implementation of Google API. This bug could have allowed an application to delete/create/write on user's existing file in google drive, although it should have only access to file created by itself. For an instance, an application requires access to files created by it :
According to google API documentation, the app should only be able to access files that was opened/created using this app.
I went ahead and tried deleting a file that was in the user's drive but wasn't ever accessed by the application:
This was reported to google security team and has been fixed as of now.
According to google API documentation, the app should only be able to access files that was opened/created using this app.
I went ahead and tried deleting a file that was in the user's drive but wasn't ever accessed by the application:
DELETE https://www.googleapis.com/drive/v2/files/fileId/permissions/permissionId
The response was 204 No content. I checked the files in my drive, the file was no longer there. This meant any application that had drive.file permission(i.e the permission to see files created by the app itself could have been abused to access private files of user.)
This was reported to google security team and has been fixed as of now.
No comments:
Post a Comment