Researcher reveals Google Maps XSS bug, patch bypass

The bounty was doubled after the bug bounty hunter realized the original fix had failed.
Written by Charlie Osborne, Contributing Writer

Google has resolved an XSS vulnerability in Google Maps that was reported through the tech giant's bug bounty program. 

Google's Vulnerability Reward Programs (VRP) provides a platform for third-party researchers to disclose security issues in Google services and products privately, in return for a financial reward and credit. 

Head of Application Security at Wix Zohar Shachar said in a blog post describing the vulnerability that a cross-site scripting issue was present in how Google Maps handles export features. 

See also: Google's bug bounty program just had a record-breaking year of payouts

After creating a map, the service allows this content to be exported in a variety of formats, one of which is KML, which uses a tag-based structure and is based on the XML standard. 

According to Shachar, this file format's map name is contained in an open CDATA tag, and so the code is "not rendered by the browser." However, by adding special characters such as "]]>," it was possible to escape from the tag and add arbitrary XML content, leading to XSS. The researcher then reported his findings to Google. 


Note: there is a missing ' > ' in step three. 

Zohar Shachar

However, this wasn't the end of the security problem. After Google sent Shachar a message saying the XSS flaw was resolved, the researcher checked by launching Google Maps, entering the same payload, and viewing the results. 

Shachar said that what he saw was "confusing," as the fix just included adding a new CDATA tag to close the original tag. With two open CDATA tags, therefore, bypassing the fix would only take two closed CDATA tags. 

CNET: Phones for low-income users hacked before they're turned on, research finds

"I was genuinely surprised the bypass was so simple," the researcher noted. "I reported it so quickly (literally 10 minutes between checking my mailbox and reporting a bypass), that right after sending this mail I started doubting myself."

Roughly two hours after sending a fresh query with his findings, the researcher was told the case was being reopened. 

The first XSS issue was reported to Google on April 23. By April 27, Google's VRP team had accepted the vulnerability as legitimate, issuing the first fix and reward by June 7. The bypass of the original patch was reported on the same day, and after being resolved, the researcher received his second payout on June 18.

Each vulnerability earned Shachar $5,000, for a total reward of $10,000.

"Ever since this Google Maps fix bypass incident I started to always re-validate fixes, even for simple things, and it has been paying off," Shachar says. "I full-heartedly encourage you to do the same."

TechRepublic: Farewell Flash Player: Microsoft tells businesses to get ready for the end of support

Google's bug bounty program issued a record amount of payouts over 2019. Over the year, Google paid out $6.5 million in rewards for bug bounty disclosures, and the top payout was issued to Alpha Lab's Guang Gong for a remote code execution exploit chain in the Pixel 3. The researcher was awarded $201,337. 

ZDNet has reached out to Google and will update when we hear back. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards