Skip to main content

Highly XSS at Google Hangouts (Reward)



First of all I like to said this XSS it's stored on Google "sandbox" and it impossible to grap Cookies.

But its possible to send it to an other user using "Google Art Project Add-ons" at https://plus.google.com/hangouts/_/

Hangouts allows users to hold conversations between two or more users. The service can be accessed online through the Gmail or Google+ websites, or through mobile apps available for Android and iOS (which were distributed as a successor to their existing Google Talk apps).

This Persistent XSS can be more significant than other types because an attacker's malicious script is rendered automatically when an modify art project it's share to the Victim using hangouts add-ons. 
(like showing under)



(This is an Interactive Chat and can be easy use by anyone) 


I first modify the Art Protect I want to inject at  http://www.google.com/culturalinstitute/project/art-project?hl=en 

Then using Google Art Project Add-ons on "Google Hangouts" I can share it to all users in the chat triggering the XSS.

(Below Google Art Injection Points)



This attack can be use to publish user login cross site scripting attack or other malicious scripts.

Google response:





I like to thanks Google again for this Reward.
 

Popular posts from this blog

One Cloud-based Local File Inclusion = Many Companies affected

Hi everyone, Today, I'm going to share how I found a Local File Inclusion that affected companies like Facebook, Linkedin, Dropbox and many others. The LFI was located at the cloud system of Oracle Responsys. For those who do not know Responsys is an enterprise-scale cloud-based business to consumer (B2C). Responsys gives every Business their own "private IP" to use the system in a private way. Business are not sharing IP with other companies.) How did I found this bug? Well as usual I was looking for bugs and I note that Facebook was sending me developer emails from the subdomain em. facebookmail.com. For example on my inbox, I had emails from fbdev@em.facebookmail.com This got me interested on the subdomain em.facebookmail.com and after a quick DIG I note that this subdomain was connected to "Responsys" which I had previously seen in other Pentests Responsys is providing em.facebookmail.com with the email services as you can see above. T...

Dangerous Persistent XSS at Here.com [FIX]

 Here.com, is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.  HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood. With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS. I report a similar bug to Waza.com a few months ago .  Nokia Reponse:   Thanks to Nokia for starting this bug bounty program .

Stored XSS at Google firebase via Google Cloud IAM

Google Firebase demo console platform was allowing an attacker to store an XSS under the project name. This vulnerability was created on the main page of the select project.  - "The Firebase demo project is a standard Firebase project with fully functioning Analytics, Crash Reporting, Test Lab, Notifications, Google Tag Manager and Remote Config features. Any Google user can access it. It’s a great way to look at real app data and explore the Firebase feature set."  https://support.google.c om/firebase/answer/7157552 - Using Google IAM ( console.cloud.google.com ) was possible to create a payload and share it to the victim. Once the victim accepts the invitation at console.firebase.google.com the payload was rendered on the main project page. Impact: The attacker could share a project from " console.cloud.google.com " and store an XSS payload under   console.firebase.google.com . This stored payload was been rendered every time the victim ...