Researchers got Rewarded by $10,000 for Reporting XXE Vulnerability in Google

A critical bug XXE vulnerability has been found by researchers which let researchers access the internal files of Google’s production servers. Sounds surprising but it has been really found by hackers which let hackers read any internal files.

As shown, the vulnerability was in Google Toolbar Button Gallery. Team of Researchers found a bug when they noticed that google allows users to customize their toolbars with adding new buttons. For developers its easy to make their own new buttons by uploading XML files containing Meta Data for styling.

This vulnerability can be called as “XML External Entity(XXE) or “XML Injection“. The researchers crafted there own buttons, by uploading it they gained access to internal files of Google Production server like they managed to read “/etc/passwd” and “/etc/hosts“.
The team of researchers reported the vulnerability to Google  as we all know , Google is having a famous bug bounty program, When they reported XXE vulnerability to Google so they rewarded the researchers which $10,000 for identifying bug in search engine’s feature.

Source: http://whogothack.blogspot.co.uk/2014/04/researchers-got-rewarded-by-10000-for.html#.Vhp1Lfmqqko

The post Researchers got Rewarded by $10,000 for Reporting XXE Vulnerability in Google appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

Print Friendly, PDF & Email

Comments are Closed