Image

Image

"As it turned out, Google was not filtering the error message once a project which canceled. Astute readers may question why this was not classified as a low level self XSS. This issue was escalated because the Google Cloud Platform can be used by multiple users; if a user creates a project with a malicious XSS payload, that payload could be used against the project administrator to execute malicious javascript (if they delete the project, which seems likely)."Fehrenbach collected the vulnerability details and sent them to Google in a report. The tech company responded by fixing the flaw and awarding the researcher $5,000 for his efforts. You can view a video of the proof-of-concept exploit Fehrenbach sent to Google's Vulnerability Rewards Program (VRP) here. News of this discovery follows on the heels of popular domain registrar GoDaddy's remediation of a blind cross-site scripting (XSS) vulnerability that attackers could have used to take over, modify, or delete users’ accounts.