Coming across an XSS vulnerability at Google sites is wrong I expected


Hello everyone. How are you doing?
From now on I’ll write my blog in English.
I used to sleep during every English class when I was high school student so I’m not good at English…. :’-(
I think this blog is almost same content as the Japanese article.
If you are Japanese, you’d better read the Japanese article rather than this.
Sometimes I might write an article only in English here.

I almost don’t watch TV but I always watch “Suiyoubi no downtown” which is a TV program in Japan every week.
http://www.tbs.co.jp/suiyobinodowntown/
At here, downtown means comedic group in Japan.
Downtown is one of the most entertaining comedic groups in Japan today and I like them very much.
You must know about them if you are interested in Japanese comedy.
https://en.wikipedia.org/wiki/Downtown_(owarai)
This TV program looks into many “theories” that professional entertainers or television viewers have their own.
This has many problems so this is fun.
I know everything that doesn’t have harm is not interesting.

Well, today I’d like to write a write up of Google bug bounty.
To be extract I reported possibility of vulnerability to Google security team and got a reward of $3133.7.
This vulnerability has been already fixed.

When I happened to open a Google Books page, I thought “Well…Google has a bug bounty program.” then I inputted a research string to find XSS vulnerabilities into the search box at Google Books and I found below page.
https://books.google.co.jp/books?id=DdzuBgAAQBAJ

It looked like someone had inspected whether there had been an XSS or not but what was important was below HTML tags that the page had.

You realized?
It looked like this code was escaped perfectly, but I’d like you to take a good look at an onmousedown event handler.
They escaped single quote as '.

If an attacker can register a book data the title of which is ‘;]);}alert(1)//, I think Google Books generates like below HTML tags.
Yes I just think so.

Clicking this link show you an alert box because you have been able to bypass single quote with ' at an onmousedown event handler.

Please feel free to look at this demo page that I’ve created for Google security team.
http://vuln.moe/web/xss/omd_test.html

So we could say that this Google books page might have an XSS vulnerability.

However, I had a problem.
I should execute any JavaScript codes(console.log, alert, or anything) to get their understanding but I wasn’t able to get the way to register a book data.

I looked for the pages to register a book data for writers, but it looked like I couldn’t register as a writer then…
https://books.google.com/intl/ja/googlebooks/publishers.html
https://play.google.com/books/publish/?re=1

However, as far as I was concerned, the page had an XSS vulnerability with a high probability, and I decided to report this issue to Google security team.

My first reporting issue to Google made me nervous a little, but I was able to report to them in my poor English.

So then, they sent me a “triaged” email.
By the way, the “triaged” email was in my spam folder of Gmail service.
Cause might have been that the mail had a lot of HTML tags.

Google security team sent me an email about one week later.
However, they said “Is see it properly escaped in the source of the page”.

Certainly I thought their react was right, because actually I couldn’t execute any JavaScript codes in the page. Besides my explain might have been lacking something.

So I created a simple demo page which showed that Google Books might have an XSS vulnerability.
And then, I sent an email which said “The page might not be escaped perfectly and Please check the demo page that I’ve created.”

Well but, I thought that Google security team didn’t spare time for the issue even though I couldn’t execute any JavaScript codes.
So I would have given up this if they had said “No problem”.

However, Google security team sent me an email which said below message a few days later.
“I’ve filed a bug and will update you once we’ve got more information.”
Wow, they decided to reward me….?

There might been an XSS vulnerability that I expected.

And then, Google security team sent me an email which said “You will receive a reward of $3133.7”.
This is a reward of Normal Google Applications, and the highest reward I’ve ever received.
https://www.google.com/about/appsecurity/reward-program/
At that time, I saw “There was an XSS vulnerability.” for the first time.
No one will give reward to anyone if there are no vulnerabilities. Right?

I thought that I bothered them so I couldn’t receive a reward.

This vulnerability has been already fixed.
Yes, I think that would be no problem.

I’m sorry and thank you very much for every thing you have done for me, Google.

Timeline:

  • 2016/1/13 I reported possibly of vulnerability.
  • 2016/1/13 Google security team sent me the triaged mail.
  • 2016/1/20 Google security team sent me the mail which said “Is see it properly escaped in the source of the page.”
  • 2016/1/20 I created a demo page and I pointed out possibly of vulnerability to Google security team again.
  • 2016/1/30 Google security team sent me the mail which said “I’ve filed a bug and will update you once we’ve got more information.”
  • 2016/2/3 Google security team sent me the mail which said “Thank you for reporting this bug. As part of Google’s Vulnerability Reward Program, the panel has decided to issue a reward of $3133.7.”