An application security head has discovered a cross-site scripting bug in Google Maps and was rewarded a bounty of $5,000 after reporting it. Soon after releasing a patch for it, the same guy informed Google about bypassing the patch to exploit the same feature again and bagged another $5,000 bounty. The bug deals with the map exporting system of Google.
Bug Hunter Bagged $10,000 Rewards From Google
Google Vulnerability Rewards Program (VRP) is where anyone can privately point out vulnerabilities in Google services or products to get rewarded. If Google decides that reported vulnerability is a serious one to be exploited, it rewards the reporters accordingly.
Under this program, it has spent over $6.5 million last year, with the highest payout to be more than $200,000 for a bug in Pixel 3 phone.
And now, the head of Application Security at Wix, Zohar Shachar has reported a bug of Google Maps platform. He said that the way Maps handles exporting of a newly created map is faulted since he can manipulate it to include malicious code and trigger an XSS code in a victim’s browser.
Under this, he said after creating a map, Maps allows the content to be exported in different formats, where KML – a tag-based structure that’s based on the XML standard is an option.
According to him, the file format’s map name is in an open CDATA tag, where the code of it is not rendered by the browser. So by adding special characters like “]]>,” it’s possible to debunk the tag checking and add arbitrary XML content while exporting.
This tricking process can lead to an XSS attack if the newly created map with malicious data is shared with a target. After reporting this, Google sent a reward of $5,000 to Sachar and released a patch for this.
But, Sachar was surprised as Google just used a new CDATA tag to close the original tag, and two open CDATA tags, bypassing the patch would take only two closed CDATA tags. He has rewarded another $5,000 for this reporting and also a reliable fix for it.