Stories of XSS in Google (April – May, 2016)

 

Hello,

This is my first blogpost, finally 🙂
I decided to write a post about my findings on Google Bug Bounty program in last month. I got several nice XSS but unfortunately, some of them were duplicate, but it’s okay at least I got some nice bounty for this.

It was started with a “Grant Awarded” email. I previously avoid this BB because I think it must be hard to find a bug in this program, and I think it could waste my time.

2016-06-11_2346
But after got this grant, I tried to looking for an issue and the story started….
All of the issues below have been fixed:

 

1. XSS in YouTube (Part 1)

The playlist section on YouTube was vulnerable for XSS attack. Just put the payload on the field and the alert will be popped out.
But unfortunately this issue was duplicate 🙁

bug1__

 

2. XSS in YouTube (Part 2)

I got another XSS in YouTube. It was on “Subtitle” section.
Just put the payload on “Subtitle” field then when check the transcript on video page, the alert will be popped out.

xss2

The issue was valid and I got nice bounty for this one.
Thanks Google 🙂

 

3. XSS in Google Payments

I was checking for Google Consumer Survey, and I got this XSS:

1. Create a new survey
2. Change the survey name —> Put XSS payload on it
3. Click on “Buy Now”

And the payload will be executed…..

bug1_ - Copy

After further investigation, I found that the issue is also executable under https://wallet.google.com/ and https://bpui0.google.com/

bug1_ - Copy

bug1_2 - Copy

And they decided to count them as 1 bug, but it’s okay. Again, this one was valid 🙂

 

4. XSS in Android Developers

“Search” field on Android Developer page was vulnerable for XSS attack.
The POC would be: https://developer.android.com/index.html#q=[XSS_Payload]

bug1_

This bug was duplicate. Sad but it’s okay, saga should continues…..


5. XSS in Google Inbox

This is my favorite one. After got some valid bugs, it encouraged me to do more, and after some testing session, I got this bug.
While checking this site, I started with Google Search “site:inbox.google.com” and this line appeared:

inbox

And my evil mind told me to check the “subject” and “body” parameter on this URL.
And finally….

bug1_firefox

Yeah, I got another valid one 🙂

 

6. XSS in Google Subdomain (Soon) 

Sadly, this one is also duplicate…

6

I will share the bug once the issue has been fixed.

 

===============================================================

Thank you for reading my post. Good luck with your bug hunting 🙂

 

 

12 Comments

  • Jonathan Avery

    June 12, 2016 at 2:00 am Reply

    Nice work. What did you do to get invited for the grant email?

  • Love Google

    June 13, 2016 at 3:59 am Reply

    Can u tell me how much reward you got ?
    xxUSD
    xxxUSD
    xxxxUSD
    xxxxxUSD
    xxxxxxUSD ?
    Or more ?

  • Frank

    June 16, 2016 at 4:22 pm Reply

    I love what you guys are usually up too. This sort of clever work and coverage!
    Keep up the awesome works guys I’ve added you guys to
    my personal blogroll.

  • Will

    June 17, 2016 at 2:20 am Reply

    I’ll immediately clutch your rss as I can’t to
    find your e-mail subscription hyperlink or newsletter service.
    Do you’ve any? Please allow me realize so that I may subscribe.
    Thanks.

  • Jim

    June 18, 2016 at 2:48 am Reply

    Thank you for the auspicious writeup. It in fact
    was a amusement account it. Look advanced to more added agreeable from you!
    By the way, how can we communicate?

  • localhost

    August 8, 2016 at 12:33 pm Reply

    Im proud of you , mas

  • Rangler

    August 10, 2016 at 7:02 pm Reply

    The paragon of unerdstanding these issues is right here!

  • Hack_Rider

    August 14, 2016 at 2:08 am Reply

    amazing ..mind blowing
    youtube paylist i tryed but not get pop up

  • get an Online Ethereum wallet

    September 19, 2016 at 5:17 am Reply

    Howdy! Ijust would likje to offer you a big thumbs up
    for your excellent info you’ve got here on this post.
    I will be coming back to yokur website for more soon.

  • Kristen

    September 30, 2016 at 6:36 pm Reply

    I’ll right away grab your rss as I can not to find your email subscription link
    or e-newsletter service. Do you’ve any?
    Please let me recognize in order that I may subscribe.
    Thanks. http://yahoo.org

  • online ethereum wallet

    October 10, 2016 at 2:37 pm Reply

    I think this is one of the so much vital information for
    me. And i’m sattisfied studying your article.
    However want too remark on few normal issues, The website taste is ideal, the articles iss actually great :
    D. Good job, cheers

  • Darrin

    October 22, 2016 at 1:58 am Reply

    Do you have a spam issue on this site; I also am a blogger, and I was wondering your situation; many of us hav developed
    some nice procedures and we are looking to trade methods withh others, whhy nott shoot me an email if
    interested.

Post a Comment