Reported: Jun 26, 2021 12:51PM

A lot of people might know what Google Groups is. For people who doesn’t, Google Groups allows users to create a group with multiple users in them and a common mail ID would be provided. That can be used to interact with the members in the group by simply sending a email.

For example:

You create a group named “Apple fans” and a Mail ID “[email protected]” will be provided. And members in the group can simply send a email and the message will be posted in the group !!

Organizations use Google Groups even as a Ticket tracking system, and a modified version is been used by Google as Payment Support System as per my knowledge and some information I gathered.

I never really wanted to test on Google Groups but revised UI made me to hunt there. And tbh it was cool.

So I created a group named “Test Groups” added some of my test accounts and followed by that I was provided with a common email ID “[email protected]”

When I started sending out messages to the Google Groups one feature got my attention which was “[email protected]” in the email. This feature is available in Google Groups for so many years. But i never saw a single person test on this, so i decided to test it myself this time !!

When a user in my “Test Group One” isn’t interested to continue in a group he/she can simply send a email to “[email protected]”

So let’s assume I added my friend “[email protected]” and he isn’t interested in continuing in the group, he can send a mail to “[email protected]” and he will be removed from the group automatically. Here’s a video how it actually works.

Lot of you people might think of Email Spoofing is the issue, but it wasn’t !!

I initially spent more time (probably more than week even more) how the users were removed from the groups and SPF policy actually worked in this case. So, in-order to remove the user, we need to trick the victim to directly reply to the “[email protected]” so i tried “reply-to” function which is common in most mailing services.

So when we send out a email, the user’s reply will be sent to the unsubscribe email. And the user will be removed from the group. Refer below image for a spoofed mail which reply-to

But there was a disadvantage, the victim can visibly see which email he/she is replying. Even if I report this , there’s no way guys from Google guys will accept this. So i had to rethink even more in-order to find better attack scenario.

So what I planned was to mask the unsubscribe email. Right now there are so many proxy services but it was too costly and i opted for a even more cheaper version.

The trick is here by Auto-Forwarding Emails (Google Support). Here’s a simple image for better understanding:

So, when the Victim sends an random email to our ID ‘[email protected]’ and all the incoming emails will be automatically forwarded to ‘[email protected]’ and the Victim will be removed from the Google groups automatically and the system actually fails to verify it.

A Simple image for better understanding !! I tried this attack scenario where i created a group for my organization, added my friends with their consent and sent them a email. They replied to my email and BOOM, they got removed from the group one by one. LOL

And here’s a Final Video POC how it is achieved.

But, when I decided to send this issue to Google VRP the response didn’t make me happy :(

Yes, the report was closed as ‘Intended Behavior’ with above explanation. Seriously, Google Security bois, i started crying literally :(

But I wasn’t giving up. The next thing I did was get a permission from Google bois to publish a write-up regarding this. So i quickly made a write-up and sent back to get approval. And after a week back, i got this back: The Product team was favorable in addressing this issue.

And yes, this was the same I was expecting and it happened. It was exactly two weeks that crossed and it was time for the reward now.

And yes it was rewarded $3133.7 it was higher than I expected coz i estimated this issue to be $500 or $1337 and it was higher than I expected. And this is the one more reason to love Google and Google VRP.

A initial patch has been applied to and i’ve also reported a patch bypass which is accepted and waiting for a Google VRP Panel review.

So see y’all in a new write-up soon guys !!

Thanks for reading !!

Twitter: sriramoffcl

Instagram: sriram_offcl

LinkedIn: sriramkesavan

Well if you love this write up drop a clap 👏, let’s connect then:

Peace ✌️ !!!

Thanks for proof-reading: Sandiyo Christan