Skip to main content

Store XSS on Shopping Express Checkout [Reward]

Google Shopping Express is a same-day shopping service ("shop local stores online and get items delivered on the same day") from Google that was launched on a free trial basis in San Francisco and Silicon Valley in spring 2013 and publicly in September that year.

This store XSS was showing at "Shopping Express Checkout" and by adding payload on the parameter "City" in wallet.google.com I could bypass restrictions and trigger this XSS back on Google Checkout.

Image of Proof:

This XSS was trigger just before paying pretty handy don't you think?

Well I report this to Google Security Team and they reply very quick. Fixing this bug within a week:




I'm very happy to be back on Google Hall of Fame and I like to thanks Google Security Team for the reward.

I create a video reproducing this XSS:


Popular posts from this blog

One Cloud-based Local File Inclusion = Many Companies affected

Hi everyone, Today, I'm going to share how I found a Local File Inclusion that affected companies like Facebook, Linkedin, Dropbox and many others. The LFI was located at the cloud system of Oracle Responsys. For those who do not know Responsys is an enterprise-scale cloud-based business to consumer (B2C). Responsys gives every Business their own "private IP" to use the system in a private way. Business are not sharing IP with other companies.) How did I found this bug? Well as usual I was looking for bugs and I note that Facebook was sending me developer emails from the subdomain em. facebookmail.com. For example on my inbox, I had emails from fbdev@em.facebookmail.com This got me interested on the subdomain em.facebookmail.com and after a quick DIG I note that this subdomain was connected to "Responsys" which I had previously seen in other Pentests Responsys is providing em.facebookmail.com with the email services as you can see above. T...
Read more

Dangerous Persistent XSS at Here.com [FIX]

 Here.com, is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.  HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood. With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS. I report a similar bug to Waza.com a few months ago .  Nokia Reponse:   Thanks to Nokia for starting this bug bounty program .
Read more

Google pay me $3.133USD!!

  Finally! I find the bug a was looking for!! last week looking at sketchup.google.com I find a flash file vulnerable to xss at parameter eventHandler   with this was possible to get a positive XSS :) Google Response: This is my first big reward and Im happy as. I like to thanks to google for starting this program. Report: Fri, Jul 5, 2013 at 2:13 PM Fix: Tues, Jul 9, 2013 at 9:00 AM  
Read more