“On this same subdomain, they have some kind of dashboard to view and manage the invoices submitted via the submission portal. “ The XSS was executed on a subdomain, let’s say ,” Orlita explained via email. The researcher said the exploit could be used to steal Google’s sensitive information, and it could also be used to attack Google’s employee accounts to penetrate Google’s intranet.
#Google invoice submission code
HTML format, the attacker only creates a document upload with a specific code to trigger the vulnerability. When the user uploads the document and the system automatically converts to. The advantage of using this format is that it can both receive content and evade cross-site scripting attacks, but it seems that developers have errors in the background configuration. The original website required users to upload documents in. The researchers revealed that a website used by Google to upload invoices was improperly configured. Of course, Google will only disclose the details of the vulnerability after it is completely repaired.
After receiving the notice, Google completely repaired the vulnerability.
It is worth noting that this security vulnerability was discovered by a 16-year-old researcher. This vulnerability is a cross-site scripting attack that can be used to attack Google’s network and impersonate its employees. Recently, Google disclosed a security vulnerability that has been fixed.
0 kommentar(er)
