Summary:
Google play store developer account has an invite feature which allows admin user to invite other colleagues/developers for managing the account as well as app releases. With this issue, an invited user with limited permissions was able to see the information of other apps as well, which was not permitted by the account owner.
Steps to reproduce:
1.) Login to https://play.google.com/apps/publish/ as owner A using chrome.
2.) Now from A account visit Settings > Developer account > Users & Permissions.
3.) Now send an invite to user B with read-only permissions.
4.) Click on invited link and login to B account using Firefox.
5.) Now from A account change the user B permissions and restrict its visibility to one app with read-only permissions.
6.) Now from B account hit refresh he will only be able to see one app which is permitted by user A from dashboard he cannot see the other listed apps.
7.) To bypass this check just visit this URL from B account
https://play.google.com/apps/publish/?account=5765075562513459389#StatisticsPlace:p=com.dummiesguideto.indiantrain
8.) Where 5765075562513459389 is account id which will be there by default and com.dummiesguideto.indiantrain is the package name of the app.
9.) Now user B is able to watch the information of other apps which are present in A account despite A has applied the restrictive view of apps for user B.
Video Poc
Timeline:
6-April-2018-Reported.
6-April-2018-Triaged.
17-April-2018-Fixed and Bounty rewarded.
5-Sept-2018-Granted permission for public disclosure.
Thank you for reading 🙂
2 thoughts on “Missing access control at play store”