A blog post and video surfaced today showing how an attacker could quickly and easily gain administrative privileges to your Blogger account. The video does show off some complex techniques, but could easily be duplicated with the correct software and time.
The hacker who posted it goes by the name of Nir Goldshlager, an Avnet information security specialist, posted his vulnerability for the world to see. Goldshlager did mention that this was for the Google Reward Program, where someone who successfully finds and exploits vulnerabilities in Google software will win $1337.
The seven minute video Goldshlager posted showed how he successfully gained access to a blogger account by adding himself as an author (without the administrators approval), then sends himself a confirmation email, after which the attacker would become an author on the website. Following these steps, the attacker successfully modifies their permissions to become an administrator, allowing full access to add, edit, and delete all the content on the victims blog.
The blog doesn't mention if this vulnerability has been patched by Google or if Google is still unaware of the problem, as the exploit was only posted today.
5 Comments - Add comment