A researcher uncovered a cross-web page scripting flaw in Google Map’s export function, which acquired him $10,000 in bug bounty rewards.
A researcher gained a double-payment totaling $10,000 for a cross-web page scripting (XSS) bug he observed in Google Maps. He acquired $5,000 initially. But when Google’s patch fell brief, the researcher acquired a next $5,000 for finding the bypass to the resolve.
Zohar Shachar, head of software security at Wix.com, noted the flaw to Google on April 23 and was issued a $5,000 reward quickly following. Google publicly disclosed the issue, declaring it “fixed” on June 7. Minutes right after Shachar was notified of the patch and bounty payment award, he claimed he identified a bypass for the Google Maps take care of. That sooner or later attained him a further $5,000.
“Something in the boredom of this certain second led me to prevail over my original way of thinking of ‘this is Google, they know how to repair an XSS’, and really test and validate the fix. Within 10 minutes of that, I experienced a bypass in hand, and a couple of times afterwards a double bounty in my account,” wrote Shachar in website submit Sunday breaking down the flaws for the very first time publicly.
The first vulnerability stemmed from a Google Maps perform that lets end users to make their very own map, stated Shachar. Right after building the map, end users can export it in several formats. A person of those formats is Keyhole Markup Language (KML), an XML-like format for expressing geographic annotation and visualization in just 2D maps.
When the map was exported as KML, Shachar observed the server response contained a CDATA tag. CDATA tags indicate that a particular part of the doc is common character knowledge (fairly than non-character information) and makes confident that the code wouldn’t be rendered by the browser. On the other hand, he observed that by adding unique figures, the CDATA tag can be quickly “closed.”
“Specifically, by incorporating ‘]]>’ at the commencing of your payload (I.e. as the beginning of the ‘map name’), you can escape from the CDATA and include arbitrary XML content (which will be rendered as XML) – leading instantly to XSS,” explained Shachar.
To exploit this flaw, an attacker could make a new vacant map, rename it making use of these special characters and include an XSS payload for SVG. SVG (or Scalable Vector Graphics) is an XML-primarily based vector graphic structure. Then, they need to set permissions for the map to “public,” allowing for absolutely everyone to entry it, export it as KML and copy the down load backlink. They can then deliver the down load url to their target. The moment the focus on is persuaded to click on on the url (by means of social engineering) the XSS attack is introduced.
After Shachar described the bug, Google said it was mounted. Nevertheless, Shachar then identified a way to bypass the patch. That is since in order to take care of the flaw, Google appeared to have additional an additional CDATA tag – this means an attacker could simply insert two CDATA closing tags, said Shachar.
“I was truly stunned the bypass was so simple. I documented it so immediately (virtually 10 minutes between checking my mailbox and reporting a bypass), that suitable following sending this mail I started doubting myself,” mentioned Shachar.
Threatpost has achieved out to Google for even more comment.
Google has frequently expanded its bug-bounty packages. The tech large lately greater the reward amounts in its bug-bounty application for stories concentrating on prospective attacks in the products-abuse area, to best out at $13,337 per report.
Previous yr Google debuted the Developer Details Defense Reward Software, which features up to $50,000 for stories on violations of the Google Participate in, Google API and Google Chrome Web Store Extension software privacy guidelines. Also in 2019, Google tripled top reward payouts for security flaws in Chrome from $5,000 to $15,000 – and doubled the greatest reward quantity for large-top quality reviews from $15,000 to $30,000.
On Wed Sept. 16 @ 2 PM ET: Learn the insider secrets to running a profitable Bug Bounty Method. Register today for this FREE Threatpost webinar “Five Essentials for Running a Prosperous Bug Bounty Program“. Hear from top Bug Bounty Plan experts how to juggle general public as opposed to private packages and how to navigate the tricky terrain of handling Bug Hunters, disclosure guidelines and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.
Some components of this short article is sourced from: