Hot to Gain Administrative Privileges on any Blogger

Last night I received an email from Nir, who wanted to share with me its great work on the 1337$ Google Reward Program he completed.

The vulnerability he found could be used by an attacker to get administrator privilege over any blogger account thanks to the HTTP Parameter Pollution vulnerability in Blogger that allows an attacker to add himself as an administrator on the victim’s blogger account.

Nir exploited a vulnerability due to the inconsistency of parameter evaluation and parameter elaboration as the volloging attack vector shows:


security_token=attackertoken&blogID=attackerblogidvalue&
blogID=victimblogidvalue&authorsList=goldshlager19test%40gmail.com
(attacker email)&ok=Invite

There are two blogid values in the post request (blogID=attackerblogidvalue&blogID=victimblogidvalue)


The server checks the first blogid value and executes the second blogid value: the attacker one.

In the same way Nir injects the memberID gaining admin privileges.
Here the great video he made.





Well, what to say now.... Thank you for sharing and for have waited my own post instead of put it by yourself ! ;)