Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Fixed a critical flaw in Blogger that allows to write posts on any blog

A security expert discovered a critical CSRF vulnerability in Blogger.com that allows an attacker to write posts in any blog hosted on the popular platform. The Egyptian security expert Mazen Gamal Mesbah (@MazenGamal) has discovered a critical CSRF (Cross-site request forgery) vulnerability in the free weblog publishing tool Blogger.com. The vulnerability could be exploited by an attacker to write posts […]

Fixed a critical flaw in Blogger that allows to write posts on any blog

A security expert discovered a critical CSRF vulnerability in Blogger.com that allows an attacker to write posts in any blog hosted on the popular platform.

The Egyptian security expert Mazen Gamal Mesbah (@MazenGamal) has discovered a critical CSRF (Cross-site request forgery) vulnerability in the free weblog publishing tool Blogger.com. The vulnerability could be exploited by an attacker to write posts in any blog hosted in the popular publishing architecture Blogger, and the post could be public for everybody.

Potentially any blog is exposed to the risk of hacking attacks, an attacker could obtain full control on the publishing platform and disseminate its content, including links to malicious websites it manage to spread malware or for phishing purposes.

The vulnerability is really serious and it is very easy to exploit against any blog. Below the video POC released by the expert.

Below the steps followed by the researcher to discover the flaw:

  • I found the vulnerability in Button of Share Articles in blog as shown in the following picture.
  • blogger flawWhen I noticed this button I decided to investigate the possible presence of a flaw affecting it.
  • When I click on Blogger Share button I noticed the CSRF token the Request, then I tried to bypass the mechanism of authentication based on it.
  • I succeded in the trick.
  • Once verified the presence of the flaw I wrote an exploit file that could be used against any blog just knowing the Blog ID.
  • The Blog ID is easy to retrieve, I discovered an easy way to access it.
  • Once completed the exploit I tested it against the Blogger platform and I verified that it was working.

  • The timeline for the above vulnerability is reported below:
    2/9/2014 – The vulnerability was found report by the Mazen Gamal Mesbah to Google.
  • 2/9/2014 – Google Blogger team provided a positive response admitting the flaw.
  • 3/9/2014  – The Vulnerability in the Blogger platform was fixed.
  • 4/9/2014 – The expert received a Bounty from Google for a total of $3133.7$.


CSRF Blogger
Mazen Gamal Mesbah is a security researcher from Egypt that is included in many of hall of fame by principal IT companies, including Google, Microsoft, Facebook, Twitter and Yahoo!.

Pierluigi Paganini

(Security Affairs –  Google Blogger, CSRF )