Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

XSS Vulnerability Exposed Google Employees to Attacks

A researcher revealed on Wednesday that he discovered a blind cross-site scripting (XSS) vulnerability that could have been exploited to attack Google employees and possibly gain access to invoices and other sensitive information.

A researcher revealed on Wednesday that he discovered a blind cross-site scripting (XSS) vulnerability that could have been exploited to attack Google employees and possibly gain access to invoices and other sensitive information.

Thomas Orlita, a 16-year-old bug bounty hunter from the Czech Republic, analyzed the Google Invoice Submission Portal hosted on gist-uploadmyinvoice.appspot.com, where vendors can submit invoices to Google.

During the process of submitting an invoice, users are asked to provide various types of information via several text fields. However, Orlita found that these inputs were properly sanitized and they could not be abused for XSS attacks.

However, he noticed that the feature designed for uploading the actual invoice in PDF format could be abused to upload HTML files. An attacker simply had to intercept a request and change the uploaded file’s filename and Content-Type properties to HTML.

XSS in Google invoice service

During his tests, Orlita uploaded an HTML file containing an XSS payload that, when triggered, would send him an email every time it was loaded.

A few days later he received an email showing that the JavaScript code in his payload had been executed on a domain named googleplex.com, which takes users to a login page for Google’s intranet, dubbed “MOMA.”.

The researcher believes the vulnerability could have been exploited to execute arbitrary code on behalf of Google employees and gain access to invoices and other sensitive information. He also believes that since the targeted Google employee would have been logged in using their company account, it should have also been possible to access other internal sites on their behalf.

“The XSS was executed on a googleplex.com subdomain, let’s say xxx.googleplex.com,” Orlita explained via email. “On this same subdomain they have some kind of dashboard to view and manage the invoices submitted via the submission portal. Since it’s possible to execute arbitrary JavaScript on that subdomain, there shouldn’t be anything stopping the attacker from accessing the dashboard (the employee is already logged in, so the cookies are sent with the request) and then sending the loaded data to a server or somewhere.”

“Depending on how they have cookies configured on the server (most likely the cookies are shared between all the subdomains so they don’t have to login into all the different subdomains all the time – we can’t know that for sure tho), it should be as well possible to send requests to other googleplex.com subdomains. There’s a list of perhaps hundreds of different subdomains on this domain. The amount/serverity of the gained data is of course depending on how well it can be exploited. For example an attacker might try to do a phishing attack on the employee,” he added.

Google was informed of the vulnerability on February 21 and implemented a patch roughly one month later. The internet giant initially assigned a P2 priority level (severe) to the flaw, but later changed it to P1 (critical). The company has the following description for P1 issues: “The issue identified in the submission has the highest priority and should be assigned to major blockers. Typically, submissions with a P1 priority cause the application to be unusable and requires immediate attention.”

Related: Expert Earns $5,000 for Google Intranet Vulnerability

Related: Google Photos Flaw Allowed Hackers to Track Users

Related: JavaScript Library Introduced XSS Flaw in Google Search

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.