Stored XSS on biz.waze.com

Often times, I try to monitor news against some of my common bug bounty targets. One of them is Google. During one of the research, I found a news article that mentioned about Google's new ad service for Waze, a mobile app company they had previously acquired. Here is the news article: https://www.cnbc.com/2018/03/28/google-owned-waze-launches-waze-local-ads.html

After reading the article, I went ahead and signed up for Waze Business dashboard. After signup, one of the first thing I checked for was to understand how the app was sanitizing user inputs. To do this, I tried to play around on how it will respond for common XSS payloads and also for any form template injection (if possible). Most of the app was pretty secure to input sanitization however there was one particular section that did not perform proper sanitization.

As a business administration, you can preview advertisements based on location to see how they will look. The link to preview it looked like this: https://biz.waze.com/providers/<PROVIDER_ID>/offers/<OFFER_ID>/previews?preview_location_id=<LOCATION_ID>. After loading the page, I checked the dom html to see how it rendered some of my tests. Almost all part of this page was sanitized however it was not sanitized in one portion where it loaded the selection choices. The XSS payload was not properly sanitized and was appended as html snippet into the selection choice:

As seen in image in the left, the snippet <svg/onload=alert(1)> was not properly sanitized resulting in a XSS to trigger.

Exploiting this XSS

At first glance, this seems to be a self-XSS. However, at biz.waze.com, we have ability to invite other users to help manage ads for us. The interesting part on this is that the user does not have to accept the invitation and are automatically added allowing them to get XSSed. Another interesting thing is that biz.waze.com works with waze.com login info so an attacker can grab information about another user.