Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

While setting up Gemini Code Assist tools for personal use, they noticed that the State parameter on the OAuth Authorization flow contained an origin key. This key was used to verify the target origin of post messages, ensuring that only authorized domains request information via post messages. So, a very security-sensitive value.

The domain check was flawed. Notably, it assumed that only a domain string was being passed and nothing else. So, it only checks that the end of the string matches a set of allowlisted domains. By using a path with an allowlisted domain and an attacker-controlled URL, the origin validation could be bypassed. For example, https://attacker.com/codeassist.google.com.

The result is the stealing of an Authorization code for Gemini Code Assist end users. To fix the issue, the origin was treated as a URL with strict validation. Overall, a solid bug in a weird section of code.