14 DAY TRIAL // ERNW security researcher Patrik Fehrenbach found a cross-site scripting (XSS) issue affecting one of Google's services that can cause a lot of damage and is somewhat strange when it comes to its mode of operation.
Fehrenbach discovered the XSS bug on Google's Cloud Platform Console, a dashboard for managing Google Cloud services.
Researcher discovered the bug by accident
The researcher explained today on his blog that he wasted a lot of time trying to find XSS issues on the site but failed due to Google's extremely strong anti-XSS filters.
In normal circumstances, both types of XSS bugs, stored and reflected, execute when the page loads. Reflected XSS bugs are when a user accesses a link with special parameters and the payload executes immediately while stored XSS bugs store the payload in a database and execute it when other users access that page.
Fehrenbach discovered a reflected XSS bug which executed after a user took an action, calling this type of XSS as a "sleeping stored" XSS.
He found this while cleaning out his Google Cloud Console of previous (failed) XSS payloads. When he deleted an earlier project, one of the older payloads executed, to Fenrenbach's great surprise.
XSS bug is dangerous because it executes with a delay
Because the Google Cloud Console is used by more than one person, an attacker could create a project with a payload in its name and leave it on the dashboard.
An admin will probably see the project, think it's an attempted exploit or just a test, and then delete it, triggering the actual exploit, which could be a cookie stealer.
The researcher filed a report in Google's bug bounty program, and the company awarded him $5,000 for his findings. Google rarely dishes out bug rewards for trivial XSS bugs, but this surely wasn't trivial.
