Security researcher Henry N. Caga has identified a significant cross-site scripting (XSS) vulnerability within a Google sub-domain that allows hackers to perform various attacks, including session hijacking, phishing attacks, malware distribution, and data Theft.
This vulnerability exposed a bad actor entry point and highlighted the significance of solid cybersecurity policies.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :
AcuRisQ, that helps you to quantify risk accurately:
During the investigation, he suspects the URL that associated with https://aihub.cloud.google.com might be vulnerable then he experienced an unsuccessful attempt to exploit the ‘q’ parameter with various payloads, eventually crafting a double-encoded payload that revealed the XSS vulnerability.
Upon realizing the potential severity of the vulnerability, the researcher meticulously documented the process using Burpsuite and crafted a detailed report for Google’s security team. However, the initial report hit a snag when the Google team could not replicate the XSS pop-up.
Undeterred, the researcher delved deeper, creating a bash script to repeatedly request the vulnerable URL, which confirmed the inconsistency of the vulnerability’s trigger.
While perusing Google’s subdomains, a particular URL sparked suspicion:
https://aihub.cloud.google.com/url?q=https://cidadesmineradoras.com.br Instinct suggested a potential flaw, prompting an investigation.
The researcher began testing various payloads on the ‘q’ parameter, focusing on a favored XSS payload:
"><SvG/onload=alert(document.domain) id=hncaga> Despite encoding the payload to bypass potential filters, initial attempts were ineffective.
Persistence led to double encoding the payload, a technique that, surprisingly, triggered the XSS vulnerability.
The moment of success was captured via a Burpsuite-recorded video.
Further investigation revealed that the XSS vulnerability was not isolated to a single URL but affected all URLs from the aihub.cloud.google.com domain when the ‘q’ parameter was appended.
Adhering to responsible disclosure protocols, the researcher promptly reported the expanded findings to Google’s security team.
The team responded quickly, upgrading the issue’s priority and severity levels and expressing appreciation for the “Nice Catch!” The researcher was rewarded $4,133.70, including a $1,000 bonus for their comprehensive report and proof of concept scripts.
The XSS vulnerability posed significant risks, including:
The incident reminds us of the persistent need for robust cybersecurity measures, even within the infrastructure of technology leaders like Google. The collaborative efforts of users, developers, and security professionals are crucial in maintaining a secure online environment.
Acknowledgment
The researcher expressed gratitude to Google’s security team for their prompt and professional handling of the vulnerability, which ensured the continued protection of users worldwide.
On March 15, 2024, the researcher received an update from the Google security team informing me that the vulnerability had been resolved. However, the site began returning a 502 error, which Google clarified was due to the deprecation of aihub and its migration to Vertex AI since January 2024.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
APT24, a sophisticated cyber espionage group linked to China's People's Republic, has launched a relentless…
The Cl0p ransomware group has claimed responsibility for infiltrating Broadcom's internal systems as part of…
Grafana Labs has disclosed a critical security vulnerability affecting Grafana Enterprise that could allow attackers…
A critical security vulnerability has been discovered in ASUSTOR backup and synchronization software, allowing attackers…
Microsoft has introduced a practical new feature in Windows 11 designed specifically for public-facing monitors…
SonicWall has disclosed a critical stack-based buffer overflow vulnerability in its SonicOS SSLVPN service. That…