Critical CSRF flaw in Blogger that allows to write posts on any Blog [Fixed]

Leave a Comment


Critical CSRF flaw in Blogger

Critical CSRF flaw in Blogger that allows to write posts on any Blog
Critical CSRF flaw in Blogger that allows to write posts on any Blog 

Blogger is the most famous Blogging platform and almost all the bloggers starts blogging from the blogger platform. But One Egyptian security expert have found the most critical Vulnerability in the Blogger.com!

Egyptian security expert Mazen Gamal Mesbah have Found Cross Site Request Forgery (CSRF) in Publishing the new articles on any blog powered by blogger. All the blogger blogs where vulnerable to this critical CSRF flow.

Checkout GitHub Bug Bounty Program 

By Exploiting this Critical CSRF in Blogger an attacker can publish any type of content on on blog that runs on blogger platform.

The only thing needed to publish a content on any blog is blogger id and its very easy to get blogger id of any blog.

Video Proof of concept of this Critical Blogger Vulnerability




Blogger is owned by the Google and Google have a Bug Bounty Program using which information security researchers can submit the vulnerability and get rewarded by them.

Timeline Of Vulnerability Reported to Google.


2/9/2014 - Vulnerability was found by the information security researcher
2/9/2014 - Got positive response from Google Security team.
3/9/2014 - Critical CSRF on Blogger fixed by the Google Security Team
4/9/2014 - Security Researcher Received $3133.7 reward from Google.

0 comments:

Post a Comment