Emma Woollacott23 February 2022 at 11:52 UTC Updated: 23 February 2022 at 11:57 UTC <\/p>\n
This could have destroyed the Google Payment system flow, security researcher tells The Daily Swig<\/p>\n<\/p>\n
A flaw in Google Groups has netted a security researcher $3,133 after he discovered that the unsubscribe feature could be abused to remove members without their consent.<\/p>\n
More than 20 years old, Google Groups allows people to set up discussion groups with a common mail ID for members. Using this service, members of the group can send a single email that will then be posted in the group chat.<\/p>\n
Members can automatically unsubscribe to the group by sending an email to, for example, test_groups_one+unsubscribe@googlegroups.com<\/a>.<\/p>\n DONT MISS Jaw-dropping Coinbase security bug allowed users to steal unlimited cryptocurrency<\/p>\n However, Sriram Kesavan, founder and director of security at India-based TG Cyberlabs, discovered that it was possible to trick the system into removing Google Groups members at will, without their knowledge.<\/p>\n His technique was to email the group and use the reply-to feature, common to most mailing services, so that any reply would be sent to the unsubscribe email address and the member automatically removed.<\/p>\n Using auto-forwarding allowed Kesavan to make the group removal process invisible to the user concerned.<\/p>\n Kesavan says he was able to use the technique to remove users from a Google Group he set up within his own company and that Google itself uses the service as a Google Payment tracking system.<\/p>\n Read more of the latest hacking news from around the world<\/p>\n I could have literally removed Google employees on several official groups, even if I have no access to it, he tells The Daily Swig.<\/p>\n This could have literally destroyed the Google Payment system flow, and could have caused delays on their internal payments.<\/p>\n When Kesavan reported the issue to Google, it was at first rejected as intended behaviour. With permission, he then submitted a full write-up, which won him the a $3,133.70 reward.<\/p>\n Initially the person who was attending to my report was not given sufficient information from my side to decide and finalize it as a valid security issue, he says.<\/p>\n Later, when I decided to send a write-up which had all the information, they realized the impact of this issue and the team decided to patch this ASAP, so a quick and simple patch was applied in order to prevent users from exploiting it.<\/p>\n A Google spokesperson said the company was unable to comment.<\/p>\n YOU MIGHT ALSO LIKE AirTag clone bypassed Apples tracking-protection features, claims researcher<\/p>\n <\/p>\n See the article here: <\/p>\n Google Groups unsubscribe feature abused to remove members without consent - The Daily Swig<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Emma Woollacott23 February 2022 at 11:52 UTC Updated: 23 February 2022 at 11:57 UTC This could have destroyed the Google Payment system flow, security researcher tells The Daily Swig A flaw in Google Groups has netted a security researcher $3,133 after he discovered that the unsubscribe feature could be abused to remove members without their consent. Continue reading