Thursday, 12 December 2013

Un-patched Google Vulnerabilities, #FAIL Bug Bounty Program

Today we are going to expose some live Google Vulnerabilities which are not under bug bounty program.

1. XSS On Google Vulnerability Submission Page:

Above script gives XSS on Google vulnerability submit page.. isn't it funny.. :P

2. XSS on Google Translate Page
When we reported about the above code then we got reply by Google.

"Cross-site scripting vulnerabilities in “sandbox” domains. We maintain a number of domains that leverage the same-origin policy to safely isolate certain types of untrusted content; the most prominent example of this is "*". Unless an impact on sensitive user data can be demonstrated, we do not consider the ability to execute JavaScript in that domain to be a bug."

3. Redirect URL

"URL redirection. We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks."

-> The first point is an Easter egg. when you will try below script<script>alert(document.cookie)</script>
 then the page will redirect to

-> The second one is on a sandbox domain *

-> Redirect URL all recognized & monitored by Google.

So all above scripts code are not under bug bounty program of Google.


  1. The fail is yours, try to put alert(document.cookie), you will be redirected to

  2. Hi Proph3t, Yes we already known about that.. its an Easter egg..

    1. hi admin thanks can u help me ...find some ..000.. this is my site


Toggle Footer