Account Takeover in Google Digital Garage via changing user password due to an IDOR in Google APIs. The bug was an IDOR in Google APIs when changing your password. I discovered it when I was changing my password in Digital Garage Account Settings. Google Digital Garage website uses Google APIs to change user passwords. Google APIs was not validating the requests nor having a token that protects against CSRF Attacks. This brought my attention to test for IDOR vulnerability.
I was able to change my account's password without being authenticated in Google Digital Garage website through sending a request containing my email, old password and the new password from the target googleapis endpoint. This allowed attacker to create fake page and trick users to enter their credentials, then the password will be changed automatically. Also, there was no rate limit protection on that api endpoint, allowing the attacker to make brute force attack against Digital Garage users.
Attacker is able to make brute force attack against Digital Garage users or trick them through a fake page to enter their credentials then their passwords will be changed automatically.
Navigate to the target url https://learndigital.withgoogle.com/digitalgarage and sign in.
Go to 'More' -> 'My Profile' -> 'Update/change your login information' -> 'Change Password' -> Set a new password -> Hit Continue and intercept the request.
The url of the request is
Note: the key is static for all users so it wont change (it is the api key for password change).
Attacker can create fake page and trick the user to login or enter his credentials to get an offer for example, once user do this, his password will automatically change.
Using Script (html, jquery):
I made a script that takes two inputs one for email and the other for password and one button when the user clicks on it, it will change his password if he is either logged in to his account or not.
You will see the script poc in the attached video below.
Run the script -> enter your email and password and click the button -> It will redirects you to the official target url.
Try login with your email and password -> The result will be password incorrect since the script changed your password to attacker's password when you clicked on the button.