Reflected XSS and DOM-based XSS bugs net researchers $3,000 and $5,000 bug bounties
A pair of vulnerabilities in Google Cloud, DevSite, and Google Play could have allowed attackers to achieve cross-site scripting (XSS) attacks, opening the door to account hijacks.
Researcher ‘NDevTK’, who discovered both vulnerabilities, wrote: “Due to a vulnerability in the server-side implementation of <devsite-language-selector> part of the URL was reflected as html so it was possible to get XSS on the origins using that component from the 404 page.”
The researcher told The Daily Swig that they “don’t think the same server response” would be sent to other users without using attacker provided URL.
They wrote: “On the search page of [the] Google Play console vulnerable code was run when the search resulted in an error.
“Getting an error was simple as doing /?search=& and because window.location includes the hash which never encodes ' it’s possible to escape the href context and set other html attributes. Unlike the DevSite XSS this is prevented by the CSP but was still awarded more by the panel.”
The researcher earned $3,133.70 for the DevSite issue and $5,000 for the vulnerability in Google Play.
Speaking to The Daily Swig, they said that they were “happy with the bounty”.