Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Details Google Maps Vulnerability That Earned Him $10,000

A researcher has disclosed the details of a cross-site scripting (XSS) vulnerability in Google Maps that earned him $10,000.

Israel-based security researcher Zohar Shachar discovered the vulnerability in April 2019 and it was patched a few weeks later, but he only now disclosed his findings.

A researcher has disclosed the details of a cross-site scripting (XSS) vulnerability in Google Maps that earned him $10,000.

Israel-based security researcher Zohar Shachar discovered the vulnerability in April 2019 and it was patched a few weeks later, but he only now disclosed his findings.

The flaw affected the Google Maps feature that allows users to create their own map. These maps can be exported in various formats, including Keyhole Markup Language (KML), a format that is used to display geographic data in Google Earth and other similar applications.

An analysis of the server response when exporting a map using KML revealed an XML response containing, among other things, a CDATA tag. The CDATA section contains text that is not rendered by the browser.

However, Shachar found a way to escape the CDATA section and add arbitrary XML content that would be rendered by the browser, which resulted in an XSS vulnerability.

In order to exploit the vulnerability, an attacker would have to create a new map in Google Maps, rename it with an XSS payload, set its permissions to public, export it as a KML file, and copy the download link. The attacker would then need to send the link to the targeted user and wait for them to click it in order to trigger the exploit and execute malicious code in their browser.

Google initially awarded a $5,000 bounty for the security hole, but Shachar earned an additional $5,000 after finding a way to bypass the initial fix — he bypassed the patch within minutes.

“Ever since this Google-maps fix bypass incident I started to always re-validate fixes, even for simple things, and it has been paying off. I full heartedly encourage you to do the same,” the researcher wrote on his blog.

Advertisement. Scroll to continue reading.

Related: JavaScript Library Introduced XSS Flaw in Google Search

Related: XSS Vulnerability Exposed Google Employees to Attacks

Related: XSS Flaw in Gmail’s Dynamic Email Feature Earns Researcher $5,000

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights