14 DAY TRIAL // An Argentinian security expert who uses the online moniker Antrax claims to have identified a persistent cross-site scripting (XSS) vulnerability in Google’s Blogger service, which could be utilized against administrators.
The researcher explains that an attacker could execute a potentially malicious script within the administration panel simply by publishing a cleverly crafted post.
Others argue that this is not actually a vulnerability because, according to Google’s Vulnerability Reward Program, “users are permitted to place custom JavaScript in their own blog templates and blog posts.”
In response, Antrax said that the vulnerability “is in the post, not the template.”
The expert published the proof-of-concept on Full Disclosure on Monday. At the time, he said that he had reported it to Google, but the company still hadn’t come up with a fix.
I’ve reached out to Google representatives to see what they have to say about this.
In the meantime, check out the POC gallery below.
