Google Bug Bounty Story


I have discovered stored based cross-site scripting vulnerability on Google. In this post, I will tell you all the steps I have followed while exploring the bug. While I was looking for latest cross-site scripting video on Youtube, I came up Frans Rosén’s video which has been reported by 3 months ago.

I started visiting on Google’s web store dashboard application. Firstly, I registered as a developer account on the dashboard. Secondly, I added new item to analyse details. Thirdly, I edited new item to find injection point. Unfortunately, I found nothing.

I turned back to web store dashboard page. On the page, More info section caught my attention. I clicked on More info and Start or check progress button.

At the end of the Start or check progress, I saw Complete your purchase section. It was including Card number, Cardholder name and Address input values.

I started searching for editing address section. I visit on Google’s payments application for changing address lines.

I changed Address line 1, Address line 2 and City input value as <script>alert(document.domain)</script> payload and save it. I repeated previously Start or check progress step.

It was trigger up directly without user attraction. All subdomains with payment support are affected by this issue.


[embedded content]


July 24, 2017 – Discovered

July 24, 2017 – Reported

August 4, 2017 – Rewarded

August 10 2017 – Fixed


  1. Attack Infrastructure Logging – Part 3: Graylog Dashboard 101
  2. Expanding Multi-User Access on
  3. GitHub - open-falcon/dashboard: falcon-plus frontend
  4. falcon-plus/ at master · open-falcon/falcon-plus · GitHub
  5. SSO Support for the Cloudflare Dashboard