Security Experts:

Connect with us

Hi, what are you looking for?



XSS Vulnerability Exposed Google Employees to Attacks

A researcher revealed on Wednesday that he discovered a blind cross-site scripting (XSS) vulnerability that could have been exploited to attack Google employees and possibly gain access to invoices and other sensitive information.

A researcher revealed on Wednesday that he discovered a blind cross-site scripting (XSS) vulnerability that could have been exploited to attack Google employees and possibly gain access to invoices and other sensitive information.

Thomas Orlita, a 16-year-old bug bounty hunter from the Czech Republic, analyzed the Google Invoice Submission Portal hosted on, where vendors can submit invoices to Google.

During the process of submitting an invoice, users are asked to provide various types of information via several text fields. However, Orlita found that these inputs were properly sanitized and they could not be abused for XSS attacks.

However, he noticed that the feature designed for uploading the actual invoice in PDF format could be abused to upload HTML files. An attacker simply had to intercept a request and change the uploaded file’s filename and Content-Type properties to HTML.

XSS in Google invoice service

During his tests, Orlita uploaded an HTML file containing an XSS payload that, when triggered, would send him an email every time it was loaded.

A few days later he received an email showing that the JavaScript code in his payload had been executed on a domain named, which takes users to a login page for Google’s intranet, dubbed “MOMA.”.

The researcher believes the vulnerability could have been exploited to execute arbitrary code on behalf of Google employees and gain access to invoices and other sensitive information. He also believes that since the targeted Google employee would have been logged in using their company account, it should have also been possible to access other internal sites on their behalf.

“The XSS was executed on a subdomain, let’s say,” Orlita explained via email. “On this same subdomain they have some kind of dashboard to view and manage the invoices submitted via the submission portal. Since it’s possible to execute arbitrary JavaScript on that subdomain, there shouldn’t be anything stopping the attacker from accessing the dashboard (the employee is already logged in, so the cookies are sent with the request) and then sending the loaded data to a server or somewhere.”

“Depending on how they have cookies configured on the server (most likely the cookies are shared between all the subdomains so they don’t have to login into all the different subdomains all the time – we can’t know that for sure tho), it should be as well possible to send requests to other subdomains. There’s a list of perhaps hundreds of different subdomains on this domain. The amount/serverity of the gained data is of course depending on how well it can be exploited. For example an attacker might try to do a phishing attack on the employee,” he added.

Google was informed of the vulnerability on February 21 and implemented a patch roughly one month later. The internet giant initially assigned a P2 priority level (severe) to the flaw, but later changed it to P1 (critical). The company has the following description for P1 issues: “The issue identified in the submission has the highest priority and should be assigned to major blockers. Typically, submissions with a P1 priority cause the application to be unusable and requires immediate attention.”

Related: Expert Earns $5,000 for Google Intranet Vulnerability

Related: Google Photos Flaw Allowed Hackers to Track Users

Related: JavaScript Library Introduced XSS Flaw in Google Search

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet