Finding a $5,000 Google Maps XSS by fiddling with Protobuf (opens in new tab)

(medium.com)

304 pointsmar19y ago18 comments

18 comments

18 comments · 11 top-level

hartator9y ago· 3 in thread

I still think $5,000 is ridiculously low. Lots of research like this fails and it happens you do the work just to be told someone already filled a similar bug before.

bwblabs9y ago

Pretty elaborate research indeed, I once filed a very simple, but just as dangerous, stored XSS on www.linkedin.com (with access to cookies) + some other bug, hoping to speedup my Partner API Request, got $400 for the XSS and many weeks later $400 for the other bug too (which took them 6+ months to fix). The $/time wasn't worth it, and of course the Partner API Request got declined without explanation.

danielweber9y ago

It seems to be the market clearing price. Lots of companies think "hey, we offer peanuts and people do all this expensive work for us."

This guy did it to land a job. Hopefully he's done with spec-work like this and his new employer makes sure to negotiate rates ahead of time for security reviews.

slv779y ago

Small bounties may not be extremely effective at getting expensive people to work for peanuts but they are very effective at destroying the underground economy where these bugs used to be shared, traded or sold.

Since there is no honor among thieves every buyer has to assume that any bug they buy will also be sold to other buyers. With even a moderate bug bounty in place it becomes a prisoners dilemma for all parties who know of the bug. The first person to disclose the bug captures the bounty and the remaining parties get shut out.

Since everyone in the market has to assume that everyone else is cheating the market collapses. Microsoft has a paper on the economic incentives of the underground economy that covers the topic nicely:

https://www.microsoft.com/en-us/research/publication/nobody-...

n139y ago· 2 in thread

Just wondering if anybody from Google asked you to apply for positions there after this?

timdierks9y ago

@mar1, I've forwarded your interest in finding a job to our security recruiting lead. We don't have a relevant office in the desired location, but happy to discuss. Feel free to reach out, my email is dierks@google.com.

n139y ago

This is the reason why I love people at Google. They do listen! :-)

zippy7869y ago· 1 in thread

Awesome find and write up. Wondering why you did not get the full $7500 for this

https://www.google.com/about/appsecurity/reward-program/inde...

How come accounts.google.com more severe than others for XSS ?

jonknee9y ago

> How come accounts.google.com more severe than others for XSS ?

Because that's where the jewels are: "Control, protect, and secure your account, all in one place"

hamilyon29y ago· 1 in thread

Could this type of vunerability be found using some clever fuzzer?

CorvusCrypto9y ago

A lot of vulnerabilities like this are found with fuzzing. Same with poor encryption schemes. Depends what your definition of clever is but normally fuzzing is an intermediate research step to just see what response you get as you change input to ascertain information of what's going on behind the scenes so you can use a more directed attack later.

hgears9y ago

Fantastic analysis of a complex system. Congrats on the bounty! +1 for dropping that you're looking for work at the end, that's a great resume post.

scriptsmith9y ago

Fantastic write-up. Scripting with Chrome's debug tools seems to be a promising way to find exploits among minified js.

mpeg9y ago

Very clever use of the Chrome debugger APIs.

We should connect, my company doesn't have anyone fully remote right now but maybe we could do in the near future...

nicoboo9y ago

Well done and well explained. Great thing to share your thoughts in open-source as well. I wish you the best with your job research, companies like Advance or Octo would be great places for you in France, based on the skills you showed.

z3t49y ago

Do you always get the bounty ? Or do they sometimes fix the bug and ignore you ?

lindgrenj69y ago

Very cool! I didn't know that chrome's debug tools were so powerful.

otterley9y ago

Nice work, Marin. Great detail on your methods and findings.

j / k navigate · click thread line to collapse