Google has paid out $5,000 to a bug bounty hunter who discovered a serious vulnerability in the Google Cloud Platform.
Germany-based researcher Patrik Fehrenbach discovered that the Google Cloud Platform Console was plagued by a stored cross-site scripting (XSS) flaw.
The expert had signed up for a free 60-day trial on Google’s cloud platform and started testing all fields for XSS vulnerabilities. None of the payloads were triggered until two months later when Fehrenbach received a message from Google informing him that his trial period was ending.
In order to avoid charges, the researcher deleted his project, which was named “> <img src = x onerror = javascript: alert (1);. That was when the XSS payload was triggered because Google had not filtered the content of the error message displayed when a project is canceled.
“For those unfamiliar, and the knowledge hungry, here’s how the payload gets reflected in the content of the site: the first quote and angle bracket,’>’ close the preceding HTML tag which allowed my injected <script> tag to be rendered in the page source,” Fehrenbach explained in a blog post. “For this POC, I simply used the img src = x payload. Since x is not a valid url, this is designed to fail immediately with a 404 HTTP response, which will then invoke the onerror event to execute a javascript function.”
The issue was serious because users of a project hosted on the Google Cloud Platform could have leveraged the vulnerability to target the project’s administrator. The expert noted that while his PoC simply displayed a pop-up, a malicious attacker could have exploited the flaw to do much more.
This was not the first vulnerability reported by Fehrenbach to Google. Last year, he and researcher Behrouz Sadeghipour identified a flaw in the Google Apps Admin console that could have been exploited for email spoofing.
Last month, the search giant awarded a researcher $12,500 after he discovered several vulnerabilities in the Google account recovery process that could have been exploited to change users’ passwords. The exploit chain started with an XSS flaw on google.com, for which the reporter earned $5,000.
Related Reading: Google Patches High Security Flaws in Chrome 50
Related Reading: Google Patches Vulnerability in “Google Admin” App for Android
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
