Hacking Google for fun and profit

I have been doing bug bounties since September 2013(Asana was the first), participated and qualified in almost all bug bounties at least once. My bucket list had Facebook, Yahoo, Twitter, Dropbox, Github and 100+ such sites (including couple of YC Startups ) but Google VRP was tough nut to crack. I always wanted to start my bug bounty story with Google, but failed in past with few duplicates.

I was watching 2016 Google I/O, Firebase was the main focus. I had reported couple of security issues when they were quite young. Got a mini box full of stickers, bands and hot souces for my contribution.


So when I saw Firebase got a new site that too on a *google.com(https://firebase.google.com/),  it all came back to me.

The minimum bounty on Google main domain(*.google.com) is $500, more than that you’ll get your name in prestigious Google Hall of Fame.

XSS on firbase.google.com 

With high hopes I started my testing, found out folder name in storage section of the Firebase application is not validating user input for JS. One can create a folder with javascript as folder name and JS is getting executed on the page.

It will render an default error image when you create a folder with name <img src=x>, I was also able to inject the javascript into page DOM from URL.

https://console.firebase.google.com/project/PROJECT_NAME/storage/files/<img src=x>/

will render the image tag on the project page with PROJECT_NAME. Though I was not able to get an alert box  (I was using onerror=alert(0) but later got to know onmouseover=alert(0) was working ) but Google accepted the XSS anyway.

Screen Shot 2016-07-30 at 4.56.56 PM

In worst case attacker had the ability to get Google cookies just by sending a malicious firebase project link.

Google paid $5000 for this.

Clickjacking on Google Analytics

After that $5000 hangover, I started again. This time found a clickjacking on Google Analytics Gallery, Google was using(still using) Javascript based protection.

When I was trying to open the domain in an iframe, it will open for few seconds and redirect to main domain. So I had to find a way to stop the redirection, there are couple of bypass listed on OWASP for client side CJ protection. Using OWASP bypass I was able to create the POC. Google accepted the bug and paid $500 for this.

Screen Shot 2016-07-30 at 5.12.16 PM

2 success boosted my lost confidence with Google. Though I had made a mistake, I should have tested Firebase old site as well while testing new one.

After these two issues, I came back to Firebase and found a critical CSRF where attacker can add user in any Firebase project.

Visiting the following link will add a user with email ‘manish@gmail.com’ with password ‘hello12345.’


Visiting a web page with above link inside an image tag will add an external user to any Firebase application.

Since it was an API issue both new as well as old site were affected. Google said “Nice catch” at first, later they found out it is duplicate of an existing report. I missed this one by 1 or 2 days.

Lesson learnt “Never celebrate early and never get satisfied with work”.

Google VRP is one of the toughest and best vulnerability reward program out there, you’ll get the first update within 24 hours and payments are also good.

I also got a private VIP invitation for a “Invitation only program” in Vegas and a vulnerability research grant of $1337 to work on Google beta products and security research.

At the time of posting this, I’m ranked #63 worldwide on Google VRP (https://bughunter.withgoogle.com/profile/a2cfa278-404f-40f8-954e-c2b0428b5e82) .

If you have any questions, suggestion regarding this post or want to hire me – feel free to reach out on my Twitter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s