Ah, this moment of thrill every Google bug hunter knows, when you see a new ‘buganizer’ email landing in your inbox. Did they accept my new bug submission? Or perhaps the panel decided on a bounty amount for the previous one? Or maybe a new awesome grant?
But then, you open the mail and see the demoralizing ‘fixed’ status updated. I mean, yeah, sure, it’s great that bugs are fixed, and security gaps are closed. But if we're being totally honest, this ‘fixed’ status is sort of ‘the end of the road’, the ‘final nail in the coffin’ for the particular research, and in many cases it’s hard and sad to let your precious bug go.
Well, scratch that! It was about a year ago when I was traveling for work, when I was sitting in the hotel room in a foreign country with nothing to do and nowhere to go and a new ‘fixed’ status update landed in my mailbox, regarding an XSS I found in Google Maps. Something in the boredom of this particular moment led me to overcome my initial mindset of ‘this is Google, they know how to fix an XSS’, and actually try and validate the fix. Within 10 minutes of that, I had a bypass in hand, and a few days later a double bounty in my account. Yalla, to the bug!
Google Maps ‘export as KML’
One of the many features offered by Google Maps is creating your own map. You can play with this feature by going here. Once you're done building your map you can export it in several formats, one of which is KML (An ‘XML-Like’ file format with few extra features). Let’s create a sample map named ‘blabla<script>alert(1)</script>’, export it as ‘KML’ and review the server’s response:
Interesting! We can see we receive an XML response (with some KML tags inside), and that our map name (probably as it contains special chars such as ‘<’) is contained within a CDATA tag, which means our code will not be rendered by the browser. But wait. How do you ‘close’ a CDATA tag?
First XSS: Escape CDATA for SVG payload
I found that by adding special chars, you can ‘close’ the CDATA tag. Specifically, by adding ‘]]>’ at the beginning of your payload (I.e. as the beginning of the ‘map name’), you can escape from the CDATA and add arbitrary XML content (which will be rendered as XML) - leading immediately to XSS (for example with a simple SVG XSS payload). Here is the complete reproducing steps I send to Google (note: there is a missing ‘>’ in my description in step 3, which I corrected in a second email):
Unfortunately I do not have an image of the result.. so you’d just have to trust me that at the time (prior to the fix), the above led to XSS.
Shortly after the submission, I received my ‘Nice catch’ from Google, and shortly after that - a 5000$ bounty.
Second XSS: Bypass fix and Escape CDATA again
So, as mentioned above I was sitting in some hotel room when this landed in my mailbox:
I wanted to see what was done. I launched up Google maps again, entered the same payload as before, and checked the response. What I saw was... Confusing. From what I could see, what was done in order to meet the closing of the CDATA tag was simply to add another CDATA tag:
‘<script>’ will become ‘<![CDATA[<script>]]>’ (just like before)
‘]]><script>’ will become ‘<![CDATA[<![CDATA[<script>]]>]]>’
Guess you see where this is going. Two ‘CDATA’ open tags? No problem, just used two ‘CDATA’ closing tags!
I was genuinely surprised the bypass was so simple. I reported it so quickly (literally 10 minutes between checking my mailbox and reporting a bypass), that right after sending this mail I started doubting myself. I was sure I missed something (maybe some other fix I didn’t notice, maybe some obvious reason why this doesn't work), I just couldn’t figure it out.
But I didn’t have much time for self doubt. Less than two hours after my bypass email my was sent a reassuring response arrived:
Few days later, I was rewarded another 5000$ bounty. Sweet :)
Final thoughts
Just a few weeks ago, I was able to re-exploit my SMTP Injection bug after it was marked as fixed and I doubled my bounty there as well.
Ever since this Google-maps fix bypass incident I started to always re-validate fixes, even for simple things, and it has been paying off. I full heartedly encourage you to do the same.
Timeline:
04/23/2019 XSS reported to Google.
04/27/2019 bug accepted ('nice catch!').
05/07/2019 reward (5000$) issued.
06/07/2019 Issue reported as fixed.
06/07/2019 Fix bypass reported.
06/07/2019 Bypass confirmed, issue reopened.
06/18/2019 second reward (5000$) issued.