Saturday, November 30, 2013

XSS - Google Groups ( - Vulnerability Reward Program

Hi! Just want to share my finding, I have found Reflected XSS Vulnerability in Google Groups. With no user interaction, enjoy ;-)


Title: Reflected XSS in Google Groups
Business Risk: High
Discovery Date: October/November
<href="url" onmouseover=alert(1)>
Author: Manuel Sousa (me)

Steps to Reproduce

This bug requires 2 accounts.

1. Login to Google Groups With Account 1
2. Create a group.
3. Publish in the group and Upload a .swf file with a payload written in the file. (Download here!)
4. Now click on "see"

5. Now you will see a XSS in “sandbox” domain (No problem ;))

Now we have a link to acesss the .swf file (

6. Logout Google Services with Account 1º

7. Login to Google Services With Account 2º
8. Now acess the file created before with account 1º
9. Now we will see a forbidden page. (the file is restricted)
10. Inject the code ( <href="url" onmouseover=alert(1)>SOMETEXTHERE)
11. Injected link:

Disclosure Timeline

October 24, 2013 at 11:00 PM (WET Time): Vulnerability Discovered
October 25, 2013 at 00:05 AM (WET Time): Initial Report
October 25, 2013 at 00:05 AM (WET Time): Autoresponse from Security bot
October 25, 2013 at 8:22 PM (WET Time): First response from Security Team
November 5, 2013 at 22:46 AM (WET Time): Bounty Rewarded.
November 7, 2013: Vulnerability Fixed
You can see my name in Hall of Fame, and I promise, I'll be there more often ;). (

Sorry about my English :3