
Bypassing Google’s authentication to access their Internal Admin panels  - LinuxBender
https://medium.com/bugbountywriteup/bypassing-googles-fix-to-access-their-internal-admin-panels-12acd3d821e3
======
fiiv
Sounds like a fun one to find. Good on him for digging around. I could totally
see how this oversight would happen too, with the engineers working on a
secure auth system but not thinking about a proxy or caching layer that might
expose them.

~~~
ocdtrekkie
It's intriguing though because it seems like the sort of thing Google is
expressly focused on from a security standpoint. Essentially the problem here
was that access was limited to Google's own network, but Google has repeatedly
talked about how they no longer consider their own internal network secure.
(See also: Anything about BeyondCorp.)

That being said, from the looks of this interface's channel-based settings,
and the mention of YouTube TV, my guess is this is some classic telecom-
industry hardware, and Google may have folks from the TV broadcasting industry
working more heavily on this particular arm of the organization.

It doesn't much look like an interface Google itself designed, so they may be
more limited in how they can lock it down.

