Skip to main content

Posts

Showing posts from July, 2013

Sql Injection in Apple and Ubuntu - Apology emails...

This week I got two emails one from Apple and an other one from Ubuntu saying:




--




Now all users have to change there passwords. Even I... Maybe in the future they will care more about their security.


 This is why all companies should have a Bug Bounty Program


Highly XSS at Google Hangouts (Reward)

First of all I like to said this XSS it's stored on Google "sandbox" and it impossible to grap Cookies.

But its possible to send it to an other user using "Google Art Project Add-ons" athttps://plus.google.com/hangouts/_/

Hangouts allows users to hold conversations between two or more users. The service can be accessed online through the Gmail or Google+ websites, or through mobile apps available for Android and iOS (which were distributed as a successor to their existing Google Talk apps).

This Persistent XSS can be more significant than other types because an attacker's malicious script is rendered automatically when an modify art project it's share to the Victim using hangouts add-ons.
(like showing under)



(This is an Interactive Chat and can be easy use by anyone)

I first modify the Art Protect I want to inject at  http://www.google.com/culturalinstitute/project/art-project?hl=en

Then using Google Art Project Add-ons on "Google Hangouts" I can …

Google pay me $3.133USD!!

Finally! I find the bug a was looking for!! last week looking at sketchup.google.com I find a flash file vulnerable to xss at parameter eventHandler

with this was possible to get a positive XSS :)



Google Response:

This is my first big reward and Im happy as.
I like to thanks to google for starting this program.
Report:Fri, Jul 5, 2013 at 2:13 PM Fix: Tues, Jul 9, 2013 at 9:00 AM

Dangerous XSS Persistent at Waze.com

Waze is currently using its second generation map editing interface. Known as the Waze Map Editor (or WME for short), it is the default editor for Waze since September 19, 2011. This editor interface is internally code-named "Papyrus", and was functionally upgraded on April 21, 2013.When adding an alternate city and street name was possible to inject a nice XSS.



If I save on the editor all users that click on the street get the XSS.

Google Response:

Next time I will wait 6 months :)
Report: Wed, Jun 26, 2013 at 7:53 PM  Fix: Tue, Jul 02, 2013 at 9:00 PM

Swf file Preview at googlegroups.com

On the Wall of Fame of SproutSocial

Nice I'm on the Wall of Fame of SproutSocial.com


http://sproutsocial.com/responsible-disclosure-policy

Reward from Bugcrowd for Beta015 and Beta016!

Nice I got reward from Bugcrowd for Beta015 and Beta016!




Thanks Bugcrowd

Google Webchat | Cross Site Scripting Vulnerability

Google Webchat | Cross Site Scripting Vulnerability

I find out that fiber.google.com was using a third party app at fiber-chat.com:8443/googlechat/  similar to FastPath Webchat that has multiple XSS

Turned out that the email parameter was vulnerable to XSS

test@gmail.com"><svg/onload=alert(1)>

When Login off the chat I got a positive XSS response.


I Report this to Google Security Team and the response was this:




Report: Tue, Jun 18, 2013 1:34PM 
Fix: Wed, Jun 19, 2013 9:00AM
No Reward for this Bug

XSS at us7.admin.mailchimp.com and help.mailchimp.com

XSS at us7.admin.mailchimp.com and help.mailchimp.com

I found XSS at us7.admin.mailchimp.com


And an other Flash XSS at help.mailchimp.com


Report:Mon, Jun 17, 2013 at 12:46 AM
Fix:Tue, Jun 18, 2013 at 9:00 AM