Stealing Google Drive OAuth tokens from Dropbox ($1728 USD)

We discussed this vulnerability during Episode 147 on 23 May 2022

Inspired by HTTPVoid’s February write-up about Hacking Google Drive Integrations. They took a bit deeper look at how HelloSign patched the SSRF documented.

Turns out the patch was basically just to limit the resources the SSRF could hit, so no access to sensitive endpoints but the SSRF remains. This is important because the SSRF thinks it is accessing a Google Drive API endpoint, so it includes the authorization token for the current user’s Drive integration. Alone, this means an attack can expose their own authorization token to themselves.

Combining this with a CSRF attack, as the page leading to the SSRF itself had no CSRF protection an attacker could have any victim upon visiting their HelloSign link will leak their Google Drive Authorization Token to the attack.