XSS - Google Groups (groups.google.com) - Vulnerability Reward Program

Hi! Just want to share my finding, I have found Reflected XSS Vulnerability in Google Groups. With no user interaction, enjoy ;-)

About

Title: Reflected XSS in Google Groups
Business Risk: High
Discovery Date: October/November
Payload: <href="url" onmouseover=alert(1)>
Author: Manuel Sousa (me)

Steps to Reproduce

This bug requires 2 accounts.

1. Login to Google Groups With Account 1

2. Create a group.

3. Publish in the group and Upload a .swf file with a payload written in the file. (Download here!)

4. Now click on "see"

5. Now you will see a XSS in “sandbox” domain (No problem ;))

Now we have a link to acesss the .swf file (https://groups.google.com/group/xsstesttmanuelsousa/attach/a9f1c6bf1187cde9/xss.swf?part=4&authuser=0&view=1)

6. Logout Google Services with Account 1º
7. Login to Google Services With Account 2º
8. Now acess the file created before with account 1º
9. Now we will see a forbidden page. (the file is restricted)
10. Inject the code ( <href="url" onmouseover=alert(1)>SOMETEXTHERE)
11. Injected link: https://groups.google.com/group/xsstesttmanuelsousa/attach/a9f1c6bf1187cde9/XSSbyMS%3Chref=%22url%22%20onmouseover=alert%281%29%3E

Disclosure Timeline

October 24, 2013 at 11:00 PM (WET Time): Vulnerability Discovered

October 25, 2013 at 00:05 AM (WET Time): Initial Report

October 25, 2013 at 00:05 AM (WET Time): Autoresponse from Security bot

October 25, 2013 at 8:22 PM (WET Time): First response from Security Team

November 5, 2013 at 22:46 AM (WET Time): Bounty Rewarded.

November 7, 2013: Vulnerability Fixed

You can see my name in Hall of Fame, and I promise, I'll be there more often ;). (http://www.google.com/about/appsecurity/hall-of-fame/reward/)

Sorry about my English :3

Read More