Expert Claims to Have Identified Persistent XSS Flaw in Google’s Blogger Service

Others argue that it's not a vulnerability, but let's see what Google has to say about it

By on January 22nd, 2013 15:59 GMT

An Argentinian security expert who uses the online moniker Antrax claims to have identified a persistent cross-site scripting (XSS) vulnerability in Google’s Blogger service, which could be utilized against administrators.

The researcher explains that an attacker could execute a potentially malicious script within the administration panel simply by publishing a cleverly crafted post.

Others argue that this is not actually a vulnerability because, according to Google’s Vulnerability Reward Program, “users are permitted to place custom JavaScript in their own blog templates and blog posts.”

In response, Antrax said that the vulnerability “is in the post, not the template.”

The expert published the proof-of-concept on Full Disclosure on Monday. At the time, he said that he had reported it to Google, but the company still hadn’t come up with a fix.

I’ve reached out to Google representatives to see what they have to say about this.

In the meantime, check out the POC gallery below.

Persistent XSS vulnerability in Blogger (3 Images)

Gallery Image
01
Gallery Image
02
Gallery Image
03

Comments

Persistent XSS in Blogger
3 photos
   Persistent XSS in Blogger