Google Services in Great Danger in 2022! Want to know How?
As you know that Google has never backed down from delivering high-quality services to its users, and you might think that it will never let you down. Right? Yeah! Most of us think exactly like that. However, this time we might get some serious shock. How’s that? If you’re confident in Google then this news might shock you as well.
Vulnerabilities were found in 3 of the best services of Google
- Google Cloud
- Google Play
- Google DevSite
It has been observed that there are two vulnerabilities that let attackers have the chance to start cross-site scripting attacks. These attacks can loosen up the loopholes for attackers to swindle in and hijack the accounts of users there.
Reflected XSS Bug – Google DevSite
A link that is controlled by the attacker can run JavaScript on the origins http://cloud.Google.com and http://developers.Google.com. This status states that an attacker could read and modify the content by bypassing the same-origin policy.
DOM-Based XSS Bug – Google Play
Whenever JavaScript takes the data from an unknown source (URL), these vulnerabilities start to rise. After collecting the data, it sends it to a sink that supports the execution of dynamic code, like – eval ()/ inner HTML.
With the help of this, an attacker can run malicious JavaScript, while hijacking other users’ accounts.
NDevTK (Researcher)
This researcher found both vulnerabilities and said:
<DevSite-language-selector> part of the URL was reflecting like HTML because of the loopholes in the server-side installation. Due to that, it became possible to get XSS on the origins via components from the 404 page.
Also said to The Daily Swig…
Users don’t think that the same server response would be sent to other users if there won’t any use of attack provided URL.
According to them…
The search ends showing an error after running a vulnerable code on the search page of the Google Play Console.
Error Result was possible as doing /?search=&. That’s because of the window. location involves the hash that never encodes. Escaping from the href context and setting up other HTML attributes is possible.
CSP was more powerful in preventing this error than the DevSite XSS, nevertheless, the DevSite XSS was awarded by the panel.
- Researcher got the bounty worth $3,133.70 for the DevSite issue
- They were awarded a bounty of $5,000 for the loopholes in GooglePlay.
To develop, you’ll sacrifice a lot. Be alert and be prepared for the best!
Kindly read more news:
Data on Twitter of millions of people was stolen in a drift
Maui Ransomware has made several targets since March 2021