A 16-year-old security researcher found XSS vulnerabilities in Google’s Invoice Submission Portal

Recently, Google disclosed a security vulnerability that has been fixed. This vulnerability is a cross-site scripting attack that can be used to attack Google’s network and impersonate its employees. It is worth noting that this security vulnerability was discovered by a 16-year-old researcher. After receiving the notice, Google completely repaired the vulnerability. Of course, Google will only disclose the details of the vulnerability after it is completely repaired.

The researchers revealed that a website used by Google to upload invoices was improperly configured. The original website required users to upload documents in .PDF format. The advantage of using this format is that it can both receive content and evade cross-site scripting attacks, but it seems that developers have errors in the background configuration.

When the user uploads the document and the system automatically converts to .HTML format, the attacker only creates a document upload with a specific code to trigger the vulnerability. The researcher said the exploit could be used to steal Google’s sensitive information, and it could also be used to attack Google’s employee accounts to penetrate Google’s intranet.

The XSS was executed on a googleplex.com subdomain, let’s say xxx.googleplex.com,” Orlita explained via email. “On this same subdomain, they have some kind of dashboard to view and manage the invoices submitted via the submission portal. Since it’s possible to execute arbitrary JavaScript on that subdomain, there shouldn’t be anything stopping the attacker from accessing the dashboard (the employee is already logged in, so the cookies are sent with the request) and then sending the loaded data to a server or somewhere.”

Depending on how they have cookies configured on the server (most likely the cookies are shared between all the subdomains so they don’t have to login into all the different subdomains all the time – we can’t know that for sure tho), it should be as well possible to send requests to other googleplex.com subdomains. There’s a list of perhaps hundreds of different subdomains on this domain. The amount/severity of the gained data is, of course, depending on how well it can be exploited. For example, an attacker might try to do a phishing attack on the employee,” he added.

Source: securityweek