A security expert, Zohar Shachar, has reported an XSS vulnerability in Google Maps via Google’s bug reward program. With each passing day, we are getting news on hacks, security experts, and vulnerabilities. In short, these incidents are indicating that cyber threats are increasing at an alarming pace.
The issue was mainly related to the Google Maps feature, which allows the users to create their own maps. And these maps can be later exported by the user in a variety of formats KML, which is XML-based and is commonly used to display geographic data in Google Earth and other similar types of apps.
The security researcher, Zohar Shachar, discovered an open CDATA tag and XML containing while analyzing the server response when exporting a map using KML.
First XSS: Escape CDATA for SVG payload
Apart from this, using special characters, Zohar Shachar tried to close the tag, and there he observed that by adding “]]>” at the beginning of the payload giving him access to go beyond the CDATA and inject arbitrary XML content; This eventually leads to an XSS vulnerability.
In short, using this flaw, an attacker can easily create a new map in Google Maps and equip it with an XSS payload. Then to make it public, the attacker will export it as a KML file, and copy the download link to send it to the victim to click on it, and execute the malicious code in the victim’s browser.
Second XSS: Bypass Fix and Escape CDATA Again
However, after discovering this flaw, Zohar Shachar immediately reported this bug to Google, and for reporting this bug to Google, he received $5,000 as a reward under Google’s Bug Bounty program.
But, here comes the twist, after reporting the first bug, Zohar again decided to analyze the patch implemented by Google to fix the bug that he reported. Within 10 minutes, he managed to bypass Google’s solution and cross-site scripting once again.
This time to bypass the two CDATA tags and this fix, he closed the tags twice, that’s it, and the exploit worked again. The security expert reported this flaw to Google, and once again, he received $5,000 as a reward from Google.
On April 23, Zohar reported the first XSS bug, and by April 27, Google acknowledged the vulnerability by publishing the first fix for this bug. While Zohar received his reward from Google on June 7, and on June 18, he received the second reward.