A pair of XSS vulnerabilities in DevSite, Google Play, and Google Cloud could have enabled attackers to launch cross-site scripting (XSS) attacks, potentially leading to account hijacking. This discovery awarded the researcher $5,000 for the Google Play vulnerability and $3,133.70 for the DevSite issue.
What XSS Vulnerabilities were discovered?
The first XSS vulnerability is a reflected XSS bug in Google DevSite. An attacker-controlled link might invoke JavaScript on the origins http://cloud.google.com and http://developers.google.com, allowing a hostile hacker to view and modify its contents while circumventing the same-origin policy.
On Google Play, the second XSS vulnerability is a DOM-based XSS. DOM-based XSS vulnerabilities typically occur when JavaScript obtains data from an attacker-controllable source, such as the URL, and delivers it to a sink that supports dynamic code execution. This permits the attackers to run malicious JavaScript, which empowers them to take over other users’ accounts.
“Due to a vulnerability in the server-side implementation of <devsite-language-selector> part of the URL was reflected as HTML so it was possible to get XSS on the origins using that component from the 404 page,” said NDevTK, the researcher who discovered both the vulnerabilities.
Interested people can read the full bug write-up for the XSS Vulnerability in Google Cloud, Google Play, and Devsite – https://bit.ly/3zwto7M.
