Issam Rabhi, A french security researcher has identified a cross-site scripting (XSS) vulnerability in the Google’s Search interface. This is something that many have thought to be impossible after so many years of probing done on it by other security experts.
How did he maneged to find an XSS vulnerability in Google which many failed? I am glad you asked. Actually Rabhi did not find the issue with Google’s classic Search section, but it is in the custom widget Google introduced for the Rio Olympics.
The company still uses the widget today to show final results from the recently concluded Olympic Games, but without the XSS issue, which they have patched in four days after it was disclosed.
According to Rabhi, who is working for a French security company Sysdream, the issue affected only the French version of the Google Olympics widget, and is what experts call a reflected XSS (also known as first-order XSS, self-XSS, type 1 XSS, or non-persistent XSS.)
This means the attacker has to convince a victim into accessing a Google link which already includes the malicious code passed inside the URL’s parameters. Since Google already uses quite lengthy URLs, this should have not been a problem.
When Rabhi informed the company about the issue on August 5, the company’s first response was “Nice catch!” Google fixed the XSS on August 9.
While many companies might dismiss XSS bugs in their bug bounty programs, these issues are the stepping stones to more serious intrusions. XSS exploits allow attackers to collect cookies and XSRF tokens for more intrusive attacks, which allow them to compromise and hijack a target’s accounts.
Of course, not all companies take these issues seriously. One of those who doesn’t is Microsoft. Ilia Kolochenko, CEO of web security firm High-Tech Bridge told Softpedia that Microsoft refused to consider an XSS bug they’ve discovered as a security vulnerability, in the first place.
The issue, detailed here, is a self-XSS in the Microsoft Dynamics CRM, which the company declined to patch, according to Kolochenko.