Skip to main content

Google Webchat | Cross Site Scripting Vulnerability

Google Webchat | Cross Site Scripting Vulnerability

I find out that fiber.google.com was using a third party app at fiber-chat.com:8443/googlechat/  similar to FastPath Webchat that has multiple XSS

Turned out that the email parameter was vulnerable to XSS

test@gmail.com"><svg/onload=alert(1)>


When Login off the chat I got a positive XSS response.



I Report this to Google Security Team and the response was this:




Report: Tue, Jun 18, 2013 1:34PM 
Fix: Wed, Jun 19, 2013 9:00AM
No Reward for this Bug

Popular posts from this blog

One Cloud-based Local File Inclusion = Many Companies affected

Hi everyone, Today, I'm going to share how I found a Local File Inclusion that affected companies like Facebook, Linkedin, Dropbox and many others.




The LFI was located at the cloud system of Oracle Responsys. For those who do not know Responsys is an enterprise-scale cloud-based business to consumer (B2C). Responsys gives every Business their own "private IP" to use the system in a private way. Business are not sharing IP with other companies.)

How did I found this bug?

Well as usual I was looking for bugs and I note that Facebook was sending me developer emails from the subdomain em.facebookmail.com. For example on my inbox, I had emails from fbdev@em.facebookmail.com

This got me interested on the subdomain em.facebookmail.com and after a quick DIG I note that this subdomain was connected to "Responsys" which I had previously seen in other Pentests



Responsys is providing em.facebookmail.com with the email services as you can see above. The original link I foun…

Stored XSS at Google firebase via Google Cloud IAM

Google Firebase demo console platform was allowing an attacker to store an XSS under the project name. This vulnerability was created on the main page of the select project. 

- "The Firebase demo project is a standard Firebase project with fully functioning Analytics, Crash Reporting, Test Lab, Notifications, Google Tag Manager and Remote Config features. Any Google user can access it. It’s a great way to look at real app data and explore the Firebase feature set." https://support.google.com/firebase/answer/7157552
-
Using Google IAM (console.cloud.google.com) was possible to create a payload and share it to the victim. Once the victim accepts the invitation at console.firebase.google.com the payload was rendered on the main project page.






Impact: The attacker could share a project from "console.cloud.google.com" and store an XSS payload underconsole.firebase.google.com. This stored payload was been rendered every time the victim access the project page.

Bug Status:
I re…

Store XSS on Main page of Flickr.com and Mobile Inteface

Flickr is an image hosting and video hosting website, and web services suite that was created by Ludicorp in 2004 and acquired by Yahoo in 2005. 

Flickr had a total of 87 million registered members and more than 3.5 million new images uploaded daily.In August 2011 the site reported that it was hosting more than 6 billion images and this number continues to grow steadily according to reporting sources.

I start doing my security research on flickr.com and I found some cool bugs but this XSS was my favorite because the XSS was showing on Flickr main page and on the Mobile interface at m.flickr.com.

Affecting millions of users for sure..



This attack works by inviting the Victim to a group. The XSS  loads when the victim get notify about a group invitation. Making this XSS very dangerous and perfect to target specific people or people in general.




I report this two bugs to Yahoo Security team and I got two nice reward.

Thanks Yahoo security Team!


Video: Soon.