Finding a $5,000 Google Maps XSS by fiddling with Protobuf

[+] hartator|9 years ago|reply

I still think $5,000 is ridiculously low. Lots of research like this fails and it happens you do the work just to be told someone already filled a similar bug before.

[+] bwblabs|9 years ago|reply

Pretty elaborate research indeed, I once filed a very simple, but just as dangerous, stored XSS on www.linkedin.com (with access to cookies) + some other bug, hoping to speedup my Partner API Request, got $400 for the XSS and many weeks later $400 for the other bug too (which took them 6+ months to fix). The $/time wasn't worth it, and of course the Partner API Request got declined without explanation.

[+] danielweber|9 years ago|reply

It seems to be the market clearing price. Lots of companies think "hey, we offer peanuts and people do all this expensive work for us."

This guy did it to land a job. Hopefully he's done with spec-work like this and his new employer makes sure to negotiate rates ahead of time for security reviews.

[+] pg_is_a_butt|9 years ago|reply

[deleted]

[+] hgears|9 years ago|reply

Fantastic analysis of a complex system. Congrats on the bounty! +1 for dropping that you're looking for work at the end, that's a great resume post.

[+] scriptsmith|9 years ago|reply

Fantastic write-up. Scripting with Chrome's debug tools seems to be a promising way to find exploits among minified js.

[+] n13|9 years ago|reply

Just wondering if anybody from Google asked you to apply for positions there after this?

[+] timdierks|9 years ago|reply

@mar1, I've forwarded your interest in finding a job to our security recruiting lead. We don't have a relevant office in the desired location, but happy to discuss. Feel free to reach out, my email is [email protected].

[+] mpeg|9 years ago|reply

Very clever use of the Chrome debugger APIs.

We should connect, my company doesn't have anyone fully remote right now but maybe we could do in the near future...

[+] zippy786|9 years ago|reply

Awesome find and write up. Wondering why you did not get the full $7500 for this

https://www.google.com/about/appsecurity/reward-program/inde...

How come accounts.google.com more severe than others for XSS ?

[+] jonknee|9 years ago|reply

> How come accounts.google.com more severe than others for XSS ?

Because that's where the jewels are: "Control, protect, and secure your account, all in one place"

[+] nicoboo|9 years ago|reply

Well done and well explained. Great thing to share your thoughts in open-source as well. I wish you the best with your job research, companies like Advance or Octo would be great places for you in France, based on the skills you showed.

[+] z3t4|9 years ago|reply

Do you always get the bounty ? Or do they sometimes fix the bug and ignore you ?

[+] lindgrenj6|9 years ago|reply

Very cool! I didn't know that chrome's debug tools were so powerful.

[+] hamilyon2|9 years ago|reply

Could this type of vunerability be found using some clever fuzzer?

[+] CorvusCrypto|9 years ago|reply

A lot of vulnerabilities like this are found with fuzzing. Same with poor encryption schemes. Depends what your definition of clever is but normally fuzzing is an intermediate research step to just see what response you get as you change input to ascertain information of what's going on behind the scenes so you can use a more directed attack later.

[+] otterley|9 years ago|reply

Nice work, Marin. Great detail on your methods and findings.

[+] unknown|9 years ago|reply

[deleted]

18 comments