Published On: 14 Feb 2021
CSRF disclose email in Google
CSRF
Google | Web
---
LOW VALIDGoogle Remote Desktop is like a remote desktop tool that allows a user to remotely control another computer
Description
to connect to another device google remote desktop is using access code generated by the host also, it gives the host a notification this user with this email is trying to connect to your device if you want to give him access to your device when the connection is lost there was a GET request used to re-establish the connection attacker could use it in CSRF attack
Impact
CSRF to disclose email
Reproduction Steps
Step
1
Attcker:
attacker start a host on his device and get the a access code to use it in this request
https://remotedesktop.google.com/support/session/*1337*
victim:
when victim visit the attacker site the attacker can open a pop-up for a second and he will the victim email
Videos