As you know that Google has never backed down from delivering high-quality services to its users, and you might think that it will never let you down. Right? Yeah! Most of us think exactly like that. However, this time we might get some serious shock. How’s that? If you’re confident in Google then this news might shock you as well.
Vulnerabilities were found in 3 of the best services of Google
- Google Cloud
- Google Play
- Google DevSite
It has been observed that there are two vulnerabilities that let attackers have the chance to start cross-site scripting attacks. These attacks can loosen up the loopholes for attackers to swindle in and hijack the accounts of users there.
Reflected XSS Bug – Google DevSite
DOM-Based XSS Bug – Google Play
This researcher found both vulnerabilities and said:
<DevSite-language-selector> part of the URL was reflecting like HTML because of the loopholes in the server-side installation. Due to that, it became possible to get XSS on the origins via components from the 404 page.
Also said to The Daily Swig…
Users don’t think that the same server response would be sent to other users if there won’t any use of attack provided URL.
According to them…
The search ends showing an error after running a vulnerable code on the search page of the Google Play Console.
Error Result was possible as doing /?search=&. That’s because of the window. location involves the hash that never encodes. Escaping from the href context and setting up other HTML attributes is possible.
CSP was more powerful in preventing this error than the DevSite XSS, nevertheless, the DevSite XSS was awarded by the panel.
- Researcher got the bounty worth $3,133.70 for the DevSite issue
- They were awarded a bounty of $5,000 for the loopholes in GooglePlay.
To develop, you’ll sacrifice a lot. Be alert and be prepared for the best!
Kindly read more news: