Google Security Issue #3: Light CSRF on Google Analytics

Light meaning the damage is minor, but still a CSRF. You could delete all scheduled e-mails, this is how it used to work:

If you go to Google Analytics->My Customization->Email.
The following call is not protected:

https://www.google.com/analytics/reporting/delete_email?emailId=0&id=xxx&pdr=20100926-20101203&cmp=average&trows=10

This works even without the pdr parameter. So you only need to know the id and you can iterate with emailId from 0 to whatever, deleting all the scheduled emails.

Following is a plausible scenario on how you can get the id and execute the CSRF at the same time:

  1. Attacker builds a page that extracts from the Refere the needed id and using the id iterates emailId from 0 to n issuing unprotected delete email calls like the one above.
  2. Attacker makes sure he visits the victims site from his attack page.
  3. Victim opens Analytics->Traffic Sources->Referring Sites.
  4. Victim clicks on the link to the attacker page thus setting the referrer to something like this:
  5. The attacker page deletes all data from Scheduled Emails.
Share

1 comment so far ↓

#1 Alex on 11.11.12 at 1:51 pm

Foarte bun,nota 10 .O industrie de “succes” .Problema e alta ,daca ai amante si-ti sterg astia calendarul,te prinde nevasta! Nu le mai poti gestiona ,este incredibil cat rau iti poate face o aplicatie de genul asta! 🙂

Leave a Comment