Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Google Hall of Fame. Show all posts

1st security researcher earned $60,000 for Google Chrome hack : Pwnium

Security Researcher Sergey Glazunov, Russia, has been named as the First researcher who earned $60,000 as part of the Pwnium competition run by Google.

He hacked into fully-patched Windows 7 machine (64-bit) by exploiting a remote code execution vulnerability in Google’s Chrome web browser. His hack is qualified as a “Full Chrome” exploit, qualifying for a $60k reward.

This remote code execution vulnerability could be utilised by malicous hackers and cyber-criminals to take control of a user's computer after persuading them to visit a rogue web link.


Sundar Pichai SVP of Chrome and Apps at Google congratulated Glazunov and said :
"We're working fast on a fix that we'll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users."
There is Still $940,000 remains in the Pwnium prize fund. 

Hacker TiPi discovered 8 Persistent XSS Vulnerabilities in Google


A Security Researcher named as TiPi discovered 8 XSS vulnerabilities in Google and he earned $1200 for google security vulnerability findings. He list out the vulnerabilities in his own blog.

He managed to find XSS vulnerabilities in Google Map,Google Map Maker, Google Map Maker Profile,Google Orkut, Google Science Fair, Google Caption Contest.  All of them are Persistent vulnerabilities.

He published a proof of concept: 

1. Persistent Google Maps XSS
Description: XSS injection in the nickname display of the Google Maps profile.
Type:  Persistent XSS
URL: http://maps.google.com/maps/user?uid=[CENSORED]
Payload:  <img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: None, found by someone else in the same period
Screenshot:



2. Persistent Google Map Maker XSS
Description: XSS injection in the nickname display of a Google Map Maker profile, in the appelication itself.
Type: Persistent XSS
URL: http://www.google.com/mapmaker?gw=55&editids=a1hYkdXPQxZ36B7xzV&iwloc=0_0
Payload: <img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: None, found by someone else in the same period
Screenshot:




3. Persistent Google Map Maker Profile XSS
Description: XSS injection in the title of a Google Map Maker profile. The display of the nickname itself on the profile was filtered.
Type: Persistent XSS
URL: http://www.google.com/mapmaker?gw=66&uid=[CENSORED]
Payload: </title><img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: None, found by someone else in the same period
Screenshot:




4. Google Orkut XSS
Description: XSS in community description. You don't have to click the HTML button. The XSS triggered every time you tried to edit the community description or tried to view the communication settings. Not a self XSS, as communities can have several administrators.
Type: Persistent XSS
URL: http://www.orkut.com/Main#Community?cmm=[CENSORED]
Payload: <img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: $500

5. Google Science Fair XSS
Description: funny self XSS in a new Google project, "Google Science Fair" (isolated domain). You could enter any HTML code and javascript in the form where you could provide additional team members. The XSS would trigger when you click "register", and hover with your mouse over that field.
Type: SELF-XSS
URL: https://www.googlesciencefair.com
Payload: <script>alert('TiPïXSS!');</script>
State: Fixed
Reward: None
Screenshot:



6. Google Caption Contest XSS
Description: users could add comments (and malicious HTML code) on the submitted captions forThe  Google Caption Contest.
Type: Persistent-XSS
URL:  http://www.googleinsidesearch.com/captions.html
Payload: <img src="<img src=search"/onerror=alert("TiPiXSS")//">
State: Fixed
Reward: $100


He also discovered two more vulnerabilities and earned around $500 but google didn't fix the yet. so he just provide a screenshot

XSS Vulnerability found in YouTube : Google Hall of Fame


A security Researcher " Old Man Jenkins"(online name) have been discovered XSS vulnerability in Youtube.com.  He informed to google about the vulnerability.

The Vulnerable Link:
https://accounts.youtube.com/accounts/CheckConnection?pmpo=

Google patched the vulnerability and send a email to the researcher stating that the vulnerability is eligible for a $1000 Dollar reward, and a name on the Google Hall of Fame list.