A serious XSS vulnerability was discovered in Google Maps. Upon report, Google originally patched the vulnerability, however it was later discovered that the fix was trivial to bypass and as such Google had to issue second fix.
Google Maps XSS Bug
Security researcher and Head of Application Security at Wix, Zohar Shachar, discovered a critical bug affecting Google Maps. Specifically, he found a cross-site scripting (XSS) vulnerability affecting the export feature of Google Maps.
Sharing the details in his blog post, he revealed that it was possible to manipulate this feature that would lead to XSS.
In brief, users can export the map after creation in any format. One such format is KML (similar to XML). While exporting KML, the map name is contained in a CDATA, and thus, the browser won’t render the code. Nonetheless, it was possible to close the CDATA. As stated in the post,
I found that by adding special chars, you can ‘close’ the CDATA tag. Specifically, by adding ‘]]>’ at the beginning of your payload (I.e. as the beginning of the ‘map name’), you can escape from the CDATA and add arbitrary XML content (which will be rendered as XML) – leading immediately to XSS.
Upon discovering the bug last year (in 2019), he reported it to Google following which, he won a $5000 bounty.
Bounty For Reporting Patch Bypass
While Google, alongside awarding a bounty, deployed a fix, Shachar noticed that it was possible to bypass the patch. Specifically, he found that Google simply fixed the issue by another CDATA tag.
So, the problem still persisted as it was possible to close the two CDATA tags.
Hence, he again reached out to Google to report the matter.
Once again, Google not only acknowledged the flaw, but also awarded another $5000 bounty.
So, in all, he won $10000 for reporting the bug and the subsequent patch bypass.
Following this experience, he urges the security community to revalidate fixes.
Ever since this Google-maps fix bypass incident I started to always re-validate fixes, even for simple things, and it has been paying off. I full heartedly encourage you to do the same.
Let us know your thoughts in the comments.