Accidentally discovered bug could have had far-reaching consequences

A DOM-based cross-site scripting (XSS) vulnerability has been discovered in the Google Voice browser extension.

Missoum Said – aka @missoum1307 – recently disclosed his findings in a blog post.

The Google Voice extension can be used to initiate calls and send text messages through the Chrome browser.

Said discovered the XSS issue during a browser session when the extension was installed and his Gmail inbox was open.

After opening Gmail, the extension’s code triggered a popup, prompting Said to explore further.

A clue was a particular line of text in email content: ‘444-555-4455 <img src=x onerror=alert(1)>’.

Click and call

The researcher realized that Google Ads’ customer IDs use the same format as US phone numbers.

After examining the source code of the Google Voice extension, Said ascertained that the bug was contained in the file contentscript.js, in a function called Wg().

Wg() is used to grab phone numbers for the extension’s click-and-call function. It is used to search through an HTML/XML body for content and to assign text nodes with the variable ‘a’ (a DOM XPath-injection), while another variable, ‘b’, is used to find phone numbers.

If matches are found, these are assigned in variable ‘f’ and put in a span element’s content as variable ‘h’.

An error was discovered in sink functions following script-based checks and verification processes.

According to the researcher, the bug was likely caused by the execution of the wrong variable in a part of Wg()’s code – ‘a’ rather than ‘f’.

Exploit impact

The XSS vulnerability could be used to execute JavaScript in a browser session, such as on domains including accounts.google.com and facebook.com.

An attack could be triggered if a vulnerable version of the extension is in use and a victim viewed a crafted email or clicked a malicious link.

The mention of Facebook raised queries on Twitter over whether or not external services contained the same flaw.

However, as it is present in a browser extension that acts as an overlay during an internet session, the flaw is universal and not related to particular domains.


RELATED Gmail XSS vulnerability placed under the microscope


The DOM-based XSS flaw was reported directly to Google and subsequently fixed. The latest version available is 2.5.34.

Said was awarded a bug bounty of $3,133 for his disclosure of the bug.

The researcher told us that while the finding was accidental, he is constantly on the hunt for Google-related vulnerabilities and is an active member of the Google Vulnerability Reward Program.

Google chose not to comment further.

“Automated source code analysis, software composition analysis, fuzzing, and other types of security testing tools are table stakes for modern software development teams,” Jonathan Knudsen, senior security strategist at Synopsys told The Daily Swig.

“In addition, as was the case here, red teaming or bug bounty programs provide an additional capability to locate vulnerabilities.”

Earlier this month, cybersecurity researcher Vinoth Kumar earned $20,000 for reporting a DOM-based XSS vulnerability in the ‘Login with Facebook’ button.


YOU MIGHT ALSO LIKE Chrome Galvanizer released on GitHub to boost Chrome extension security