XSS vulnerability in Google subdomains allows hackers to hijack user sessions

Security researcher Henry N. Kaga has identified a critical cross-site scripting (XSS) vulnerability within Google’s subdomains. This vulnerability allows hackers to perform various attacks such as session hijacking, phishing attacks, malware distribution, and data theft.

This vulnerability exposes a point of entry for malicious attackers and highlights the importance of strong cybersecurity policies.


Free Webinar: Mitigating Vulnerabilities and Zero-Day Threats

Alert fatigue doesn’t help anyone, as security teams have to triage hundreds of vulnerabilities. :

  • Today’s fragility fatigue problem
  • Differences between CVSS-specific and risk-based vulnerabilities
  • Assess vulnerabilities based on business impact/risk
  • Automation reduces alert fatigue and significantly strengthens your security posture

AcuRisQ helps you accurately quantify risk.

Let’s get into the report.


During his investigation, he suspected that the URL associated with might be vulnerable, so he unsuccessfully tried to exploit the ‘q’ parameter in various payloads, and the final created a double-encoded payload. An XSS vulnerability has been revealed.

Recognizing the potential severity of the vulnerability, researchers used Burpsuite to carefully document the process and create a detailed report for Google’s security team. However, the initial report stalled as the Google team was unable to reproduce his XSS popup.

Undeterred, the researchers dug deeper and created a bash script that repeatedly requested the vulnerable URL. This confirms that the trigger for the vulnerability is inconsistent.

Bash script

While researching Google’s subdomains, a particular URL aroused my suspicions. 

Instinct suggested a potential flaw and prompted an investigation.

The researchers started testing different payloads with the ‘q’ parameter, focusing on the preferred XSS payload.

"><SvG/onload=alert(document.domain) id=hncaga> 

Initial attempts had no effect despite encoding the payload to bypass potential filters.

Persistence double-encoded the payload, and surprisingly, this technique led to an XSS vulnerability.

The moment of success was captured in a video recorded by Burpsuite.

Further investigation revealed that the XSS vulnerability is not limited to a single URL, but affects all URLs in the domain when the “q” parameter is added.

Report and resolve

The researchers followed responsible disclosure protocols and immediately reported their expanded findings to Google’s security team.

The team responded quickly, elevated the issue’s priority and severity level, and expressed their appreciation for the “nice catch!” The researcher was paid $4,133.70, including his $1,000 bonus for a comprehensive report and proof-of-concept script.


XSS vulnerabilities posed significant risks, including:

  • session hijack: An attacker could exploit this vulnerability to take over a user session.
  • Phishing attack: This flaw could have made it easier to create phishing pages to trick users.
  • Distribution of malware: Users may have been redirected to a site filled with malware.
  • data theft: Sensitive data such as cookies and tokens were at risk of theft.
  • Harmful rumor: Security flaws like this can damage Google’s reputation for secure services.

This incident is a reminder that robust cybersecurity measures are always needed, even within the infrastructure of a technology leader like Google. Maintaining a safe online environment requires a collaborative effort from users, developers, and security experts.


The researchers thanked Google’s security team for quickly and professionally addressing this vulnerability, ensuring continued protection for users around the world.

On March 15, 2024, researchers received an update from the Google security team that the vulnerability had been resolved. However, the site started returning 502 errors and Google revealed that this was due to his deprecation of aihub from January 2024 and migration to Vertex AI.

Are you a member of SOC and DFIR teams? – Analyze malware incidents and get live access on ANY.RUN -> Get started for free now.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button