Current state of GHunt, and cookies bug

[mxrch]

Hey

Since a few months, GHunt started slowly to has cookies issues. Google changed some things related to cookies, with trackers, GDPR, and it became very complex to handle everything and follow every Google update regarding cookies, and do exhaustive and time consuming tests each time.

Here is how GHunt handles authentication right now

• GHunt Companion (web extension) gets the cookies and the oauth2_token and gives it to GHunt (CLI)
• GHunt stores the cookies, and exchange the oauth2_token for a Master token, which is the name the community gave, because it (almost) never expires, and can be used to generate tokens for a lot of Google services This operation is done here : https://github.com/mxrch/GHunt/blob/e87346963658dd8d80cef49dbf1bd263e96d352e/ghunt/helpers/auth.py#L17-L38

Then, at the execution of a module, it will uses API with different authentication modes.

Cookies and SAPISIDHASH

This one takes the cookies from the local credentials file, then, it takes the SAPISID cookie, the targeted API URL, and generates the SAPISIDHASH that will be used in the Authorization: SAPISIDHASH <hash> header. The generation of this hash is here : https://github.com/mxrch/GHunt/blob/e87346963658dd8d80cef49dbf1bd263e96d352e/ghunt/helpers/utils.py#L33-L34

OAuth2

This one takes the master token from the local credentials file, and uses this following code to generate a temporary token to interact with the service : https://github.com/mxrch/GHunt/blob/e87346963658dd8d80cef49dbf1bd263e96d352e/ghunt/helpers/auth.py#L40-L62 This authentication mode is often used in Google mobile apps, because it's easy to store the master token and reuse it to generate new tokens.

The goal

As cookies are becoming a pain, the goal is to getting ride completely of them, at least at the login step. So there are two solutions :

Using OAuth2 everywhere

Currently, the only APIs using cookies are the People API (the most important one) and the Calendar API, which I already can use OAuth2 with, it's just not implemented yet. I personally made progress concerning using OAuth2 with the People API, see this screenshot :

The OAuth2 is generated the same way as discussed as before, but the main element there is the X-Google-Spatula, for example, this one : https://github.com/kdodhia06/labellingTool/blob/51fa247d1e36702d8d94f66ae2c4ee51e391e10b/www/netflow_data_dec.json#L113

It is a protobuf-encoded payload, containing the package name, an hardcoded string (I got the same in my own X-Google-Spatula) and some values I don't know about. Anyway, the main issue there is that it don't returns the name, and I don't has the permissions to enable the param enablePrivateNames=true, so more R&D is needed.

Using the same endpoint as blackhats

A recent "attack" (wrongly named a vulnerability) has occured, regarding hackers exploiting the endpoint https://accounts.google.com/oauth/multilogin, that would let us generate cookies from tokens. I'll look at it myself soon, but if someone manages to do a PoC of it, or getting the name of someone through the People API in OAuth2, it would solve our issue with GHunt authentication.

Unnecessary update about me

I recently got involved into https://osint.industries, which is basically GHunt but for ~100 websites. It's not an ad, but I'm having two jobs at the same time now (pentester, and developer for OSINT Industries) and it takes me a lot of time, which results in less activity for open-source, from which I can't get revenues. Nevertheless, I know GHunt became a tool widely used in the OSINT community, it already helped in a lot of criminal cases, and I will not drop the development. For the moment, if you have a real need that is worth to pay to investigate a Google account (and others), please use OSINT Industries, as we handle ourselves the Google authentication for everyone. Keep note that I'll continue the development of GHunt.

Also, thanks a lot to every contributor, like @shion1305 who is trying to fix that issue too. I know a lof of people in the OSINT field don't have development skills, so despite the popularity of the project, there are just a few contributors. So I want to thanks a lot everyone doing it. ❤️

[mxrch]

Update : I found a way to use the https://accounts.google.com/oauth/multilogin, but it requires a new type of master token (with prefix 1//), so I would have to change the GHunt Companion extension, because in it, I use Android master tokens, who starts with aas_et. Good news, I also found a way to generate cookies from an Android master token. I can finally remove cookies from GHunt login ! 🥳 I'm making the changes ASAP

[mxrch]

Released ! https://github.com/mxrch/GHunt/releases/tag/v2.1.0