Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Google Cloud Platform Flaw Earns Researcher $5,000

Google has paid out $5,000 to a bug bounty hunter who discovered a serious vulnerability in the Google Cloud Platform.

Germany-based researcher Patrik Fehrenbach discovered that the Google Cloud Platform Console was plagued by a stored cross-site scripting (XSS) flaw.

Google has paid out $5,000 to a bug bounty hunter who discovered a serious vulnerability in the Google Cloud Platform.

Germany-based researcher Patrik Fehrenbach discovered that the Google Cloud Platform Console was plagued by a stored cross-site scripting (XSS) flaw.

The expert had signed up for a free 60-day trial on Google’s cloud platform and started testing all fields for XSS vulnerabilities. None of the payloads were triggered until two months later when Fehrenbach received a message from Google informing him that his trial period was ending.

In order to avoid charges, the researcher deleted his project, which was named “> <img src = x onerror = javascript: alert (1);. That was when the XSS payload was triggered because Google had not filtered the content of the error message displayed when a project is canceled.

“For those unfamiliar, and the knowledge hungry, here’s how the payload gets reflected in the content of the site: the first quote and angle bracket,’>’ close the preceding HTML tag which allowed my injected <script> tag to be rendered in the page source,” Fehrenbach explained in a blog post. “For this POC, I simply used the img src = x payload. Since x is not a valid url, this is designed to fail immediately with a 404 HTTP response, which will then invoke the onerror event to execute a javascript function.”

The issue was serious because users of a project hosted on the Google Cloud Platform could have leveraged the vulnerability to target the project’s administrator. The expert noted that while his PoC simply displayed a pop-up, a malicious attacker could have exploited the flaw to do much more.

This was not the first vulnerability reported by Fehrenbach to Google. Last year, he and researcher Behrouz Sadeghipour identified a flaw in the Google Apps Admin console that could have been exploited for email spoofing.

Advertisement. Scroll to continue reading.

Last month, the search giant awarded a researcher $12,500 after he discovered several vulnerabilities in the Google account recovery process that could have been exploited to change users’ passwords. The exploit chain started with an XSS flaw on google.com, for which the reporter earned $5,000.

Related Reading: Google Patches High Security Flaws in Chrome 50

Related Reading: Google Patches Vulnerability in “Google Admin” App for Android

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.