Missing access control at play store


Google play store developer account has an invite feature which allows admin user to invite other colleagues/developers for managing the account as well as app releases. With this issue, an invited user with limited permissions was able to see the information of other apps as well, which was not permitted by the account owner.

Steps to reproduce:

1.) Login to https://play.google.com/apps/publish/ as owner A using chrome.
2.) Now from A account visit Settings > Developer account > Users & Permissions.
3.) Now send an invite to user B with read-only permissions.
4.) Click on invited link and login to B account using Firefox.
5.) Now from A account change the user B permissions and restrict its visibility to one app with read-only permissions.
6.) Now from B account hit refresh he will only be able to see one app which is permitted by user A from dashboard he cannot see the other listed apps.
7.) To bypass this check just visit this URL from B account
8.) Where 5765075562513459389 is account id which will be there by default and com.dummiesguideto.indiantrain is the package name of the app.
9.) Now user B is able to watch the information of other apps which are present in A account despite A has applied the restrictive view of apps for user B.

Video Poc

17-April-2018-Fixed and Bounty rewarded.
5-Sept-2018-Granted permission for public disclosure.

Thank you for reading 🙂

2 thoughts on “Missing access control at play store

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s