{"id":849,"date":"2025-10-01T07:50:38","date_gmt":"2025-10-01T07:50:38","guid":{"rendered":"https:\/\/www.kacateknologi.com\/en\/?p=849"},"modified":"2025-10-01T07:53:42","modified_gmt":"2025-10-01T07:53:42","slug":"privilege-escalation-vulnerability-in-google-search-console","status":"publish","type":"post","link":"https:\/\/www.kacateknologi.com\/en\/privilege-escalation-vulnerability-in-google-search-console\/","title":{"rendered":"$3,133.70 Bounty for Privilege Escalation Vulnerability in Google Search Console (GSC) via DOM Manipulation"},"content":{"rendered":"\n

Kaca Teknologi<\/strong> – A privilege escalation vulnerability was discovered in Google Search Console that allowed an attacker to export all performance data to BigQuery despite permission restrictions. This finding alone was rewarded with $3,133.70 through the Google Vulnerability Reward Program (VRP).<\/p>\n\n\n\n

If you\u2019re expecting a \u201cfancy\u201d exploitation scenario, this article may not meet your expectations.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Background of Discovering a Privilege Escalation Vulnerability in Google Search Console (GSC)<\/h2><\/div>\n\n\n\n
\"$3,133.70<\/figure>\n\n\n\n

It all started at 2 AM when I needed to export my website performance data from GSC for data visualization. While looking for that feature, I came across the Bulk Data Export option to BigQuery.<\/p>\n\n\n\n

The difference between exporting performance data to Google Sheets, CSV, or Excel is that those methods only allow a one-time export for the selected date. In contrast, Bulk Data Export provides full, unsampled datasets without the row limits of CSV exports, enabling automated daily transfers and long-term data retention.<\/p>\n\n\n\n

However, when I tried to export the data, I encountered a message: \u201cYou must<\/strong> be a property owner.\u201d The Continue button was disabled since my account only had a low-privilege role.<\/p>\n\n\n\n

\"Bulk<\/figure>\n\n\n\n

The word \u201cmust\u201d<\/strong> indicates that the role of property owner is mandatory. Sometimes, when you\u2019re looking for vulnerabilities and the documentation says \u201cshould\u201d<\/strong>, you need to carefully validate whether the role is truly mandatory or if it\u2019s still possible to perform certain actions through another endpoint or feature. Not every restriction that can be bypassed qualifies as a vulnerability.<\/span><\/p>\n\n\n\n

I often attempt to bypass such restrictions, but I\u2019ve learned that some are still considered intended behavior since they aren\u2019t strictly mandatory. As a result, a few of my reports have been closed as informative.<\/p>\n\n\n\n

Understanding The Roles in Google Search Console (GSC)<\/h2>\n\n\n\n

You may skip this part, but there\u2019s a condition I want to emphasize. GSC has three main roles:<\/p>\n\n\n\n

    \n
  • Property Owner: full control over the property.<\/li>\n\n\n\n
  • Full User: can view site data and perform some actions.<\/li>\n\n\n\n
  • Restricted: can view site data but is limited in actions.<\/li>\n<\/ul>\n\n\n\n

    When testing Broken Access Control (BAC), usually each role behaves differently. If a restriction cannot be bypassed in role A, that doesn\u2019t mean it\u2019s not bypassable in role B, so test each role. <\/p>\n\n\n\n

    I usually apply a “what-if approach” to explore and attempt exploits for every role; this helps me craft dozens of exploitation scenarios. I\u2019ll discuss this more deeply in another article.<\/p>\n\n\n\n

    Bypassing the Restriction to Fully Export Performance Data<\/h2><\/div>\n\n\n\n

    Since it was 2 AM and I was too lazy to open Burp Suite, whether I used Burp or not didn\u2019t matter as long as I achieved the goal.<\/p>\n\n\n\n

    Using a Full<\/strong> role, I configured my Google Cloud project and then right-clicked the disabled Continue button in the UI. I modified the button element from disabled<\/code> to enabled<\/code>, which made the Continue button clickable.<\/p>\n\n\n\n

    \"Bypass<\/span><\/figure><\/div>\n\n\n\n
    \"Data<\/figure>\n\n\n\n

    Here is the complete code before modification:<\/p>\n\n\n\n

    <button class=\"VfPpkd-LgbsSe VfPpkd-LgbsSe-OWXEXe-k8QpJ VfPpkd-LgbsSe-OWXEXe-dgl2Hf nCP5yc AjY5Oe DuMIQc LQeN7 P01spf\" jscontroller=\"soHxf\" jsaction=\"click:cOuCgd; mousedown:UX7yZ; mouseup:lbsD7e; mouseenter:tfO1Yc; mouseleave:JywGue; touchstart:p6p2H; touchmove:FwuNnf; touchend:yfqBxc; touchcancel:JMtRjd; focus:AHmuwe; blur:O22p3e; contextmenu:mg9Pef;mlnRJb:fLiPzd\" data-idom-class=\"nCP5yc AjY5Oe DuMIQc LQeN7 P01spf\" jsname=\"EwKiCc\" data-tooltip-enabled=\"true\" aria-describedby=\"tt-c85\" style=\"--mdc-ripple-fg-size: 65px; --mdc-ripple-fg-scale: 1.9163256995605362; --mdc-ripple-fg-translate-start: 41.5px, -3.5px; --mdc-ripple-fg-translate-end: 21.87890625px, -14.5px;\" disabled<\/strong>=\"\"><div class=\"VfPpkd-Jh9lGc\"><\/div><div class=\"VfPpkd-J1Ukfc-LhBDec\"><\/div><div class=\"VfPpkd-RLmnJb\"><\/div><span jsname=\"V67aGc\" class=\"VfPpkd-vQzf8d\">Continue<\/span><\/button><\/code><\/pre>\n\n\n\n
    The code after modification:<\/p>\n\n\n\n
    <button class=\"VfPpkd-LgbsSe VfPpkd-LgbsSe-OWXEXe-k8QpJ VfPpkd-LgbsSe-OWXEXe-dgl2Hf nCP5yc AjY5Oe DuMIQc LQeN7 P01spf\" jscontroller=\"soHxf\" jsaction=\"click:cOuCgd; mousedown:UX7yZ; mouseup:lbsD7e; mouseenter:tfO1Yc; mouseleave:JywGue; touchstart:p6p2H; touchmove:FwuNnf; touchend:yfqBxc; touchcancel:JMtRjd; focus:AHmuwe; blur:O22p3e; contextmenu:mg9Pef;mlnRJb:fLiPzd\" data-idom-class=\"nCP5yc AjY5Oe DuMIQc LQeN7 P01spf\" jsname=\"EwKiCc\" data-tooltip-enabled=\"true\" aria-describedby=\"tt-c85\" style=\"--mdc-ripple-fg-size: 65px; --mdc-ripple-fg-scale: 1.9163256995605362; --mdc-ripple-fg-translate-start: 41.5px, -3.5px; --mdc-ripple-fg-translate-end: 21.87890625px, -14.5px;\" enabled<\/strong>=\"\"><div class=\"VfPpkd-Jh9lGc\"><\/div><div class=\"VfPpkd-J1Ukfc-LhBDec\"><\/div><div class=\"VfPpkd-RLmnJb\"><\/div><span jsname=\"V67aGc\" class=\"VfPpkd-vQzf8d\">Continue<\/span><\/button><\/code><\/pre>\n\n\n\n
    After modifying the button, the export action succeeded and I was able to export Search Console performance data to my Google Cloud project despite not having the required property owner permission. Once the export started, the attacker could not stop the export process. I repeated the same DOM modification to enable and then stop the export process.<\/p>\n\n\n\n
    For clarity, see the video PoC below.<\/p>\n\n\n\n
    \n