Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Researcher Details Google Maps Vulnerability That Earned Him $10,000

A researcher has disclosed the details of a cross-site scripting (XSS) vulnerability in Google Maps that earned him $10,000.

Israel-based security researcher Zohar Shachar discovered the vulnerability in April 2019 and it was patched a few weeks later, but he only now disclosed his findings.

A researcher has disclosed the details of a cross-site scripting (XSS) vulnerability in Google Maps that earned him $10,000.

Israel-based security researcher Zohar Shachar discovered the vulnerability in April 2019 and it was patched a few weeks later, but he only now disclosed his findings.

The flaw affected the Google Maps feature that allows users to create their own map. These maps can be exported in various formats, including Keyhole Markup Language (KML), a format that is used to display geographic data in Google Earth and other similar applications.

An analysis of the server response when exporting a map using KML revealed an XML response containing, among other things, a CDATA tag. The CDATA section contains text that is not rendered by the browser.

However, Shachar found a way to escape the CDATA section and add arbitrary XML content that would be rendered by the browser, which resulted in an XSS vulnerability.

In order to exploit the vulnerability, an attacker would have to create a new map in Google Maps, rename it with an XSS payload, set its permissions to public, export it as a KML file, and copy the download link. The attacker would then need to send the link to the targeted user and wait for them to click it in order to trigger the exploit and execute malicious code in their browser.

Advertisement. Scroll to continue reading.

Google initially awarded a $5,000 bounty for the security hole, but Shachar earned an additional $5,000 after finding a way to bypass the initial fix — he bypassed the patch within minutes.

“Ever since this Google-maps fix bypass incident I started to always re-validate fixes, even for simple things, and it has been paying off. I full heartedly encourage you to do the same,” the researcher wrote on his blog.

Related: JavaScript Library Introduced XSS Flaw in Google Search

Related: XSS Vulnerability Exposed Google Employees to Attacks

Related: XSS Flaw in Gmail’s Dynamic Email Feature Earns Researcher $5,000

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.