Security Experts:

Researcher Details Google Maps Vulnerability That Earned Him $10,000

A researcher has disclosed the details of a cross-site scripting (XSS) vulnerability in Google Maps that earned him $10,000.

Israel-based security researcher Zohar Shachar discovered the vulnerability in April 2019 and it was patched a few weeks later, but he only now disclosed his findings.

The flaw affected the Google Maps feature that allows users to create their own map. These maps can be exported in various formats, including Keyhole Markup Language (KML), a format that is used to display geographic data in Google Earth and other similar applications.

An analysis of the server response when exporting a map using KML revealed an XML response containing, among other things, a CDATA tag. The CDATA section contains text that is not rendered by the browser.

However, Shachar found a way to escape the CDATA section and add arbitrary XML content that would be rendered by the browser, which resulted in an XSS vulnerability.

In order to exploit the vulnerability, an attacker would have to create a new map in Google Maps, rename it with an XSS payload, set its permissions to public, export it as a KML file, and copy the download link. The attacker would then need to send the link to the targeted user and wait for them to click it in order to trigger the exploit and execute malicious code in their browser.

Google initially awarded a $5,000 bounty for the security hole, but Shachar earned an additional $5,000 after finding a way to bypass the initial fix — he bypassed the patch within minutes.

“Ever since this Google-maps fix bypass incident I started to always re-validate fixes, even for simple things, and it has been paying off. I full heartedly encourage you to do the same,” the researcher wrote on his blog.

Related: JavaScript Library Introduced XSS Flaw in Google Search

Related: XSS Vulnerability Exposed Google Employees to Attacks

Related: XSS Flaw in Gmail's Dynamic Email Feature Earns Researcher $5,000

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.