Bypassing Google Email Domain Check to Deliver Spam Email on Google’s Behalf

Welcome to this blog again, this is my second write up about my Bug Hunting Journey, if you missed the first write up about how I could buy anything for free in Yahoo, please go here to have a look.

Now, this write up is about how I use Google’s service to send email with any domain names, and with arbitrary title/content. You can safely say that I can hijack Google’s email service to send any email to anyone I want. Sounds severe right? I agree with you, but Google Security Team treat that as a low severity bug as they believe anyone could have send spam email, so this finding does not qualify for reward. Ok, they got a point, the process to find it is fun anyway. Let’s see how I manage to hijack their email service.

Google FireBase

Google’s FIrebase is a super useful service that could save developers tons of effort. It provides authentication service that could integrate with any platform you want, like web, iOS, android. So developers do not need to build an authentication mechanism from scratch.

There is some functions that firebase must provide in order to have a competent service, sending password reset email is one of those must have functions. From the screenshot below, we can see it allows us to user our own domain name and own template to deliver the password reset email. Firebase is nice, nice enough to allow developers to specify their own domain name to deliver the email. Before using custom domain name, we have to prove to Google that we actually own the domain.

Email Template
Email Template


But here is the problem, I can specify any domain name without proving I am the owner. Actually this is a classic example of how developers would make careless mistake, when we look at the front end, we cannot tamper with the domain name. However if we capture the traffic and look at the request body, and carefully change the domain name, we can actually bypass the check and use any domain name instantly.

In the request body, I notice there is a {“email”:””}. So I change that to {“email”:””}, and trigger the password reset. The final result is this.

Hijacked Domain Name
Hijacked Domain Name

So I documented all these finding and send it to Google Security Team and have it fixed within a week.

Of cause is very obviously a scam domain name, but imagine I used, with nicely crafted message, it is not difficult to deliver spam email effectively by abusing this bug.