A pair of XSS vulnerabilities in DevSite, Google Play, and Google Cloud could have enabled attackers to launch cross-site scripting (XSS) attacks, potentially leading to account hijacking. This discovery awarded the researcher $5,000 for the Google Play vulnerability and $3,133.70 for the DevSite issue.
What XSS Vulnerabilities were discovered?
“Due to a vulnerability in the server-side implementation of <devsite-language-selector> part of the URL was reflected as HTML so it was possible to get XSS on the origins using that component from the 404 page,” said NDevTK, the researcher who discovered both the vulnerabilities.
Interested people can read the full bug write-up for the XSS Vulnerability in Google Cloud, Google Play, and Devsite – https://bit.ly/3zwto7M.