A security researcher recently discovered a pair of vulnerabilities in Google Cloud, DevSite, and Google Play allowing hackers to launch cross-site scripting (XSS) attacks, and creating the way for account hacking.
The first vulnerability is a reflected XSS flaw in Google DevSite. The hacker could exploit the vulnerability by employing malicious links to run JavaScript on the origins http://cloud.google.com and http://developers.google.com, meaning a malicious actor could read and alter its contents, circumventing the same-origin policy.
“Due to a vulnerability in the server-side implementation of part of the URL was reflected as html so it was possible to get XSS on the origins using that component from the 404 page,” researcher ‘NDevTK’, explained in a blog post.
The second vulnerability is a DOM-based XSS on Google Play. DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML. This allows hackers to implement malicious JavaScript, which typically paves a way to hijack other users’ accounts.
The researcher explained in his blog that the CSP would mitigate the Google Play XSS vulnerability. Yet, Google still preferred to reward the bug discovery with a hefty bounty of $3,133.70 for the DevSite bug and $5,000 for the vulnerability in Google Play.
“On the search page of [the] Google Play console vulnerable code was run when the search resulted in an error. Getting an error was simple as doing /?search=& and because window.location includes the hash which never encodes ' it’s possible to escape the href context and set other html attributes. Unlike the DevSite XSS this is prevented by the CSP but was still awarded more by the panel,” the researcher added.
Last year in November, a researcher at Persistent System unearthed cross-site scripting (XSS) vulnerability in Chrome’s ‘New Tab’ page (NTP) that allowed hackers to run arbitrary JavaScript code.
The hackers exploited the vulnerability by sending an HTML file to the target that contained a cross-site request forgery (CSRF).
If the target opened the file, the CSRF script started operating and the query was stored in the browser’s search history. When the user opened an NTP for a second time and clicked on the Google search bar, the malicious code was triggered.