AboutTitle: Reflected XSS in Google Groups
Business Risk: High
Discovery Date: October/November
Payload: <href="url" onmouseover=alert(1)>
Author: Manuel Sousa (me)
Steps to Reproduce
This bug requires 2 accounts.
1. Login to Google Groups With Account 1
2. Create a group.
3. Publish in the group and Upload a .swf file with a payload written in the file. (Download here!)4. Now click on "see"
5. Now you will see a XSS in “sandbox” domain (No problem ;))
Now we have a link to acesss the .swf file (https://groups.google.com/group/xsstesttmanuelsousa/attach/a9f1c6bf1187cde9/xss.swf?part=4&authuser=0&view=1)
6. Logout Google Services with Account 1º
7. Login to Google Services With Account 2º
8. Now acess the file created before with account 1º
9. Now we will see a forbidden page. (the file is restricted)
10. Inject the code ( <href="url" onmouseover=alert(1)>SOMETEXTHERE)
11. Injected link: https://groups.google.com/
October 24, 2013 at 11:00 PM (): Vulnerability Discovered
October 25, 2013 at 00:05 AM ( ): Initial Report
October 25, 2013 at 00:05 AM (): Autoresponse from Security bot
October 25, 2013 at 8:22 PM ( ): First response from Security Team
November 5, 2013 at 22:46 AM ( ): Bounty Rewarded.
November 7, 2013: Vulnerability Fixed
You can see my name in Hall of Fame, and I promise, I'll be there more often ;). (http://www.google.com/about/ap
Sorry about my English :3