How I accidentally found an IDOR bug in Google slides and rewarded $3,133.70
It was a lazy afternoon at the office. After lunch, I was sitting at my desk, preparing slides for an event speech on Google Slides. Once the slides were ready, I clicked on Presenter View to preview them. During the event, I wanted to do a live Q&A session with the audience, so I started searching online to see if Google Slides had such a feature. That’s when I stumbled upon Audience Tools. To enable Audience Tools, you need to go to Presenter View, click on Audience Tools, and then click “Start”
Curious, I copied the link and opened it in Chrome’s incognito mode to explore how the audience could ask questions. Anyone could ask questions without needing to log in! The user interface of the question box looked a bit outdated, and my bug hunter instincts kicked in. Something felt off, and I decided to dig deeper.
Without wasting any time, I fired up Burp Suite and started testing. I noticed that every time someone asked a question, a unique clientId was included in the POST request. So every comment has a unique clientId. That’s when it clicked — this could be a potential vulnerability.
