An Argentinian security expert who uses the online moniker Antrax claims to have identified a persistent cross-site scripting (XSS) vulnerability in Google’s Blogger service, which could be utilized against administrators.
The researcher explains that an attacker could execute a potentially malicious script within the administration panel simply by publishing a cleverly crafted post.
In response, Antrax said that the vulnerability “is in the post, not the template.”
The expert published the proof-of-concept on Full Disclosure on Monday. At the time, he said that he had reported it to Google, but the company still hadn’t come up with a fix.
I’ve reached out to Google representatives to see what they have to say about this.
In the meantime, check out the POC gallery below.