Thursday, 12 December 2013

Un-patched Google Vulnerabilities, #FAIL Bug Bounty Program

Today we are going to expose some live Google Vulnerabilities which are not under bug bounty program.

1. XSS On Google Vulnerability Submission Page:

Above script gives XSS on Google vulnerability submit page.. isn't it funny.. :P

2. XSS on Google Translate Page
When we reported about the above code then we got reply by Google.

"Cross-site scripting vulnerabilities in “sandbox” domains. We maintain a number of domains that leverage the same-origin policy to safely isolate certain types of untrusted content; the most prominent example of this is "*". Unless an impact on sensitive user data can be demonstrated, we do not consider the ability to execute JavaScript in that domain to be a bug."

3. Redirect URL

"URL redirection. We recognize that the address bar is the only reliable security indicator in modern browsers; consequently, we hold that the usability and security benefits of a small number of well-designed and closely monitored redirectors outweigh their true risks."

-> The first point is an Easter egg. when you will try below script<script>alert(document.cookie)</script>
 then the page will redirect to

-> The second one is on a sandbox domain *

-> Redirect URL all recognized & monitored by Google.

So all above scripts code are not under bug bounty program of Google.


Toggle Footer