A security researcher found severe cross-site scripting (XSS) vulnerabilities in Google Cloud and Google Play. Briefly, the researcher observed a reflected XSS vulnerability in Google Cloud and a DOM-based XSS in the Google Play app. The tech giant addressed the flaws following the bug report, rewarding the researcher with huge bounties.
Google Cloud, Google Play XSS Vulnerabilities
Reportedly, a security researcher with the alias NDevTK discovered two cross-site scripting (XSS) vulnerabilities separately affecting the Google Cloud and Google Play services. While both services are not directly linked, the researcher has shared the details of both vulnerabilities together.
As disclosed in his GitHub writeup, the Google Cloud XSS flaw existed due to the vulnerability in the server-side implementation of <devsite-language-selector>. Because of this issue, part of the URL was reflected as HTML, triggering XSS via 404 pages.
Due to a vulnerability in the server-side implementation of
<devsite-language-selector>
part of the URL was reflected as html so it was possible to get XSS on the origins using that component from the 404 page.
The researcher found this vulnerability using the DalFox tool. It typically affected the cloud.google.com and developers.google.com services. Reporting this vulnerability made the researcher win a $3133.70 bounty.
Regarding the second vulnerability, the researcher explained that it specifically affected the search function in Google Play. In simple words, the bug would trigger when a vulnerable code would run if the search resulted in an error.
On the search page of google play console vulnerable code was run when the search resulted in an error.
Triggering this bug merely required the adversary to perform a search.
Getting an error was simple as doing
/?search=&
and becausewindow.location
includes the hash which never encodes'
it’s possible to escape the href context and set other html attributes.
This vulnerability typically affected the play.google.com service. Following this discovery, the researcher reached out to Google, rewarding the researcher with a $5000 bounty.
The researcher explained in his writeup that the CSP would prevent the Google Play XSS flaw. Yet, Google still preferred to reward the bug discovery with a hefty bounty.
What Next?
Since both the vulnerabilities have already received the patches, users don’t need to take any action from their end to ensure security. Nonetheless, keeping their devices updated with the latest app versions is a recommended best practice.