Blind XSS against a Googler
I found a blind xss against a Googler because they were using a vulnerable Gmail Chrome Extension.
When Google emailed all GSuite admins about its new feature, Hire with Google, I started to look into what the feature was and how it was designed. Initially, I could not look into this in depth because my G Suite account was not eligible for Hire. However, after few months a sales person from Google reached out to me asking if I wanted to demo or purchase the service.
I wanted to actually use/purchase the feature to see how it worked so, I went to https://hire.google.com/buy-now/ and started to fill the form. After few hours of submitting the form, something caught my attention. The sales person had reached back to me with an attachment of a contract to sign. I assumed this meant that the original email I got was not an automated sales email. Knowing that a real human was reading my submission, I got excited thinking "How are they receiving/reading my responses?". There could have been multiple ways this could have been done:
- Custom CMS where the data is stored.
- Third Party service.
- Data is directly sent to email.
To understand how this could work, I decided to try putting a blind xss payload on my name when submitting the form. My thought process was that if they had a custom CMS or used some third party service, this could probably work and I could have a blind xss. For my payload, I used a simple XSSHunter payload:
After few hours, when I went back to XSSHunter, it showed that a bXSS had been executed. To my surprise this executed on a https://mail.google.com origin:
This XSS then gave me a lot of sensitive details:
- Email communications between the victim and their colleagues: the DOM html contained every email they had in their inbox when the xss executed.
- User information of other G Suite admins who had filled their data for either demoing the Hire service or buying it.
- And many more sensitive information.
After reporting the issue, I discussed with Google's security team on how this could have executed. Turns out this was due to a XSS in Chrome extension for Gmail that they were using. In the end this was a cool bug and they rewarded pretty good for it.