Google Bug Bounty Story
I have discovered stored based cross-site scripting vulnerability on Google. In this post, I will tell you all the steps I have followed while exploring the bug. While I was looking for latest cross-site scripting video on Youtube, I came up Frans Rosén’s video which has been reported by 3 months ago.
I started visiting on Google’s web store dashboard application. Firstly, I registered as a developer account on the dashboard. Secondly, I added new item to analyse details. Thirdly, I edited new item to find injection point. Unfortunately, I found nothing.
I turned back to web store dashboard page. On the page, More info section caught my attention. I clicked on More info and Start or check progress button.
At the end of the Start or check progress, I saw Complete your purchase section. It was including Card number, Cardholder name and Address input values.
I started searching for editing address section. I visit on Google’s payments application for changing address lines.
I changed Address line 1, Address line 2 and City input value as <script>alert(document.domain)</script> payload and save it. I repeated previously Start or check progress step.
It was trigger up directly without user attraction. All subdomains with payment support are affected by this issue.
July 24, 2017 – Discovered
July 24, 2017 – Reported
August 4, 2017 – Rewarded
August 10 2017 – Fixed