Google has paid out $5,000 to a bug bounty hunter who discovered a serious vulnerability in the Google Cloud Platform.
Germany-based researcher Patrik Fehrenbach discovered that the Google Cloud Platform Console was plagued by a stored cross-site scripting (XSS) flaw.
The expert had signed up for a free 60-day trial on Google’s cloud platform and started testing all fields for XSS vulnerabilities. None of the payloads were triggered until two months later when Fehrenbach received a message from Google informing him that his trial period was ending.
In order to avoid charges, the researcher deleted his project, which was named “> <img src = x onerror = javascript: alert (1);. That was when the XSS payload was triggered because Google had not filtered the content of the error message displayed when a project is canceled.
“For those unfamiliar, and the knowledge hungry, here’s how the payload gets reflected in the content of the site: the first quote and angle bracket,’>’ close the preceding HTML tag which allowed my injected <script> tag to be rendered in the page source,” Fehrenbach explained in a blog post. “For this POC, I simply used the img src = x payload. Since x is not a valid url, this is designed to fail immediately with a 404 HTTP response, which will then invoke the onerror event to execute a javascript function.”
The issue was serious because users of a project hosted on the Google Cloud Platform could have leveraged the vulnerability to target the project’s administrator. The expert noted that while his PoC simply displayed a pop-up, a malicious attacker could have exploited the flaw to do much more.
This was not the first vulnerability reported by Fehrenbach to Google. Last year, he and researcher Behrouz Sadeghipour identified a flaw in the Google Apps Admin console that could have been exploited for email spoofing.
Last month, the search giant awarded a researcher $12,500 after he discovered several vulnerabilities in the Google account recovery process that could have been exploited to change users’ passwords. The exploit chain started with an XSS flaw on google.com, for which the reporter earned $5,000.
Related Reading: Google Patches High Security Flaws in Chrome 50
Related Reading: Google Patches Vulnerability in “Google Admin” App for Android