Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Google OAuth

Unrestricted email domains

PreviousGoogle OAuthNextJenkins

Last updated 12 months ago

Was this helpful?

Description:

Developers make use of Google's OpenID Connect to implement authentication easily and can add an optional query parameter to the request to limit access to the email domain. However, this optional query parameter can be altered or even omitted to bypass the whitelist and could allow anyone to sign in using any email (on the condition that no further restrictions are present, read more)

Testing:

When you come across a Google Login put in front of a restricted asset, try altering the hd query parameter to a domain you control (or have access to):

https://accounts.google.com/o/oauth2/v2/auth?
  response_type=code&
  client_id=1234.apps.googleusercontent.com&
  ...
  hd=company.com

Change it to example.com:

https://accounts.google.com/o/oauth2/v2/auth?
  response_type=code&
  client_id=1234.apps.googleusercontent.com&
  ...
  hd=example.com

Remediation:

As Google OpenID Connect documentations specify, do not rely on this parameter to control access as it is solely used for the optimization of the login form:

Don't rely on this UI optimization to control who can access your app, as client-side requests can be modified.

Potential Impact:

Unathorized users can sign in and impose as authorized users and additionally gain access to other services within a Google work group.

References:

Instead, control access for each service in your .

Learn more
Google Admin Console
https://twitter.com/intigriti/status/1383397368691789825
https://developers.google.com/identity/openid-connect/openid-connect