Add Yourself as a Super Admin to Someone Else's GSuite Organization
We discussed this vulnerability during Episode 99 on 15 November 2021
Great little bug taking advantage of the ability to manage GSuite users directly from within domains.google.com
by trusted the Gsuite organization name and ID from the user request. By changing out the organization’s domain and id (does require knowing the target organization numeric id) in the requests domains.google.com
makes when adding a new user, the user will be added to the new domain rather than to the one you actually own.