Google’s bug bounty has been expanded to not only covers the firm’s own products, but additionally all apps in the official Google Play store which have had 100 million or more installs.
Read more in my article on the Hot for Security blog.
Bug hunter Thomas Orlita discovered an XSS vulnerability in Google’s Invoice Submission Portal that would have allowed attackers access to Google’s internal network
The Czech researcher Thomas Orlita discovered an XSS vulnerability in Google’s Invoice Submission Portal that would have allowed attackers access to part of Google’s internal network.
The Google Invoice Submission Portal is a public portal used by Google’s business partners to submit invoices.
An attacker could also exploit the flaw to steal Google employee cookies for internal apps and hijack accounts or send spear-phishing messages.
The attack was devised by the expert in February, and Google addressed the issue in mid-April after the researcher reported it to the tech giant.
Orlita explained that an attacker could have uploaded malformed files in the Google Invoice Submission Portal, via the Upload Invoice field.
The expert noticed that the ‘upload’ feature for actual invoice in PDF format could be abused to upload HTML files. The attacker had to intercept a request and change the uploaded file’s filename and Content-Type properties to HTML.
Using this trick it was possible to store malicious files in Google’s invoicing system and would have executed automatically when an employee tried to access it.
“Since this is just a front-end validation, it doesn’t stop us from changing the file type when sending the upload POST request. Once we select any PDF file, an upload request is fired. We can intercept the request using a web proxy debugger and change the filename and the contents from .pdf to .html.” reads the analysis published by the expert.
Orlita uploaded an HTML file including an XSS payload that, when triggered, would send him an email every time it was loaded.
This domain is used by Google for hosting internal websites and apps. If you attempt to access the domain you will be redirected to a Google Corp login page for Google employees that requires the authentication.
“The DOM of the page matches the XSS payload that was put instead of the PDF file. We can see that this URL is used for displaying a PDF file. But since the Content-Type of the uploaded file was changed from application/pdf to text/html, it displayed and rendered the XSS payload instead of the PDF.” continues the expert.
According to the researcher, it was possible to exploit the flaw to execute arbitrary code on behalf of Google employees and gain access to sensitive information.
The expert pointed out that many Google internal apps are hosted on the googleplex.com domain, making this issue a gift for the attackers,
Below the timeline for the flaw:
21.02.2019: Vulnerability reported
22.02.2019: Priority changed to P2
22.02.2019: Added more information
25.02.2019: Accepted and priority changed to P1
06.03.2019: Reward issued
26.03.2019: A fix has been implemented
11.04.2019: Issue marked as fixed
The post XSS flaw would have allowed hackers access to Google’s network and impersonate its employees appeared first on Security Affairs.
In October of 2018 my site was hit by a meteor called Google.
My traffic dropped by over 60% in just a couple of weeks—going from around 10,000 pageviews a day, to around 4,000.
Read about the March 2018 Update
After some research and help from Thomas Zickell, I knew that this was a Google algorithm update, but I still decided to tend to my SEO garden to see if I could help the situation.
Here are some of the things I did:
I’ve been blogging since 1999, so I have thousands of posts.
- Removed hundreds of old, personally-relevant (but not publicly useful) posts
- Removed lots of thin content
- Updated some of the metadata for the site
- Refreshed a few of my key pages
- Changed my top-level nav
- Added sub-menus to my top-level nav
- Added anchor pages for Information Security and Cybersecurity
- Other minor tweaks
I also had a recent article go viral due to some famous associates sharing it on Twitter, so that probably had an impact as well.
As is usually the case, you never know what exactly is working, or if Google is changing things on their side. But to me the graph matches the March Update pretty clearly.
I am sure there were many factors, but it seems clear that the March Core Update was a major one.
Many people are saying that this update reversed a lot of damage done to some sites in 2018, and I think that’s definitely true for me.
I was really worried that I was being punished because I talk about so many different topics on my site, and that I’d never make it back. But I noticed something while my traffic was low that gave me hope: many of the pages that ranked higher than me were really, really bad.
That told me that this wasn’t a policy change, but rather experimentation with something that would likely be fixed in the future for the benefit of users.
And that seems to be exactly what happened. I’m now up over 25,000 spots on Alexa, to sub-100K again.
Anyway, I hope this helps someone who might be going through something similar.
Become a direct supporter of my content for less than a latte a month ($ 50/year) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month, plus access to the member portal that includes all member content.