The researcher told us that while the finding was accidental, he is constantly on the hunt for Google-related vulnerabilities and is an active member of the Google Vulnerability Reward Program. Said was awarded a bug bounty of $3,133 for his disclosure of the bug. The DOM-based XSS flaw was reported directly to Google and subsequently fixed. RELATED Gmail XSS vulnerability placed under the microscope However, as it is present in a browser extension that acts as an overlay during an internet session, the flaw is universal and not related to particular domains. The mention of Facebook raised queries on Twitter over whether or not external services contained the same flaw. The XSS vulnerability could be used to execute JavaScript in a browser session, such as on domains including and .Īn attack could be triggered if a vulnerable version of the extension is in use and a victim viewed a crafted email or clicked a malicious link. If matches are found, these are assigned in variable ‘f’ and put in a span element’s content as variable ‘h’.Īn error was discovered in sink functions following script-based checks and verification processes.Īccording to the researcher, the bug was likely caused by the execution of the wrong variable in a part of Wg()’s code – ‘a’ rather than ‘f’. It is used to search through an HTML/XML body for content and to assign text nodes with the variable ‘a’ (a DOM XPath-injection), while another variable, ‘b’, is used to find phone numbers. Wg() is used to grab phone numbers for the extension’s click-and-call function. The researcher realized that Google Ads’ customer IDs use the same format as US phone numbers.Īfter examining the source code of the Google Voice extension, Said ascertained that the bug was contained in the file contentscript.js, in a function called Wg(). Said discovered the XSS issue during a browser session when the extension was installed and his Gmail inbox was open.Īfter opening Gmail, the extension’s code triggered a popup, prompting Said to explore further.Ī clue was a particular line of text in email content: ‘44 ’. The Google Voice extension can be used to initiate calls and send text messages through the Chrome browser. Missoum Said – aka – recently disclosed his findings in a blog post. Accidentally discovered bug could have had far-reaching consequencesĪ DOM-based cross-site scripting (XSS) vulnerability has been discovered in the Google Voice browser extension.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |