Vulnerability Type: Cross Site Scripting (XSS)
- Reported on 28 June 3013
- Fixed Now
Sign into Google account and go to:
http://www.google.com/
Now, Tick the box "I want to use Google Spreadsheet to store, edit and upload my feed" and Select 2nd option.
It will ask us to enter the URL, type "javascript:alert(1)" without quotes and type "Click Me" in Doc's Title field.
Click OK. Now click on "Click Me" and you will see a Pop-up due to XSS vulnerability.
POC:
I reported this vulnerability to Google and I received below reply:
Hey,I re-edited my URL :
Due to the requirement for the victim to take a few actions, the panel has determined this bug didn't meet the threshold for a reward. Nonetheless, we'd like to acknowledge your assistance on our credit page (http://www.google.com/about/appsecurity/hall-of-fame/ distinction/) under "Honorable Mention" - are you interested? If so, what name/link should we list?
It should be of the form: name - site [site link]
http://www.google.com/
Now, the victim has to only tick the "I want to use Google" option and click on "Click Me"
To make it more easier, we could write something else in place of "Click Me" like:
- Session Timed Out! Click To Login Again
- Click here to Sign in
I re-submitted and received below reply from Google-
Hi,The vulnerability was fixed after few days.
Thank you for the followup however the decision stands as is.
2 comments
Javascript:alert(0); can show xss in every site.
ReplyCool!
ReplyPost a Comment