Francisco Correa Security.log

Google Firebase demo console platform was allowing an attacker to store an XSS under the project name. This vulnerability was created on the main page of the select project.  - "The Firebase demo project is a standard Firebase project with fully functioning Analytics, Crash Reporting, Test Lab, Notifications, Google Tag Manager and Remote Config features. Any Google user can access it. It’s a great way to look at real app data and explore the Firebase feature set."  https://support.google.c om/firebase/answer/7157552 - Using Google IAM ( console.cloud.google.com ) was possible to create a payload and share it to the victim. Once the victim accepts the invitation at console.firebase.google.com the payload was rendered on the main project page. Impact: The attacker could share a project from " console.cloud.google.com " and store an XSS payload under   console.firebase.google.com . This stored payload was been rendered every time the victim

Flickr is an image hosting and video hosting website, and web services suite that was created by Ludicorp in 2004 and acquired by Yahoo in 2005.  Flickr had a total of 87 million registered members and more than 3.5 million new images uploaded daily. In August 2011 the site reported that it was hosting more than 6 billion images and this number continues to grow steadily according to reporting sources. I start doing my security research on flickr.com and I found some cool bugs but this XSS was my favorite because the XSS was showing on Flickr main page and on the Mobile interface at m. flickr.com.   Affecting millions of users for sure..   This attack works by inviting the Victim to a group. The XSS  loads when the victim get notify about a group invitation. Making this XSS very dangerous and perfect to target specific people or people in general. I report this two bugs to Yahoo Security team and I got two nice reward. Thanks Yahoo security Team! Video: Soon.

Google Shopping Express   is a same-day shopping service ("shop local stores online and get items delivered on the same day") from   Google   that was launched on a free trial basis in   San Francisco   and   Silicon Valley   in spring 2013 and publicly in September that year. This store XSS was showing at "Shopping Express Checkout" and by adding payload on the parameter "City" in wallet.google.com I could bypass restrictions and trigger this XSS back on Google Checkout. Image of Proof: This XSS was trigger just before paying pretty handy don't you think? Well I report this to Google Security Team and they reply very quick. Fixing this bug within a week: I'm very happy to be back on Google Hall of Fame and I like to thanks Google Security Team for the reward. I create a video reproducing this XSS:

The same-origin policy is an important concept in the web application security model. The policy permits scripts running on pages originating from the same site. I found that users using FlashFirebug  are vulnerable to same-origin policy bypass. This Firefox add-ons create a files on the Flash Player Trust directory disallowing same-origin policy. For this example I will use Facebook Video preview box to trigger this Flash XSS. (Fortunately Faceboook use attachment.fbsbx.com ) By using a Flash XSS plus having FlashFirebug install on the Victim Firefox I can trigger this XSS and bypass Same Origin Policy I report this to Facebook and this was the response: And me as a good bounty hunter I report to Adobe: After doing a bit of looking I found that o-minds.com have a report bug page and here is their response:  I reply to them and after that I didn't receive a response. My conclusion: External Addons can bypass Flash "Same Origin Pol

 Here.com, is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.  HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood. With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS. I report a similar bug to Waza.com a few months ago .  Nokia Reponse:   Thanks to Nokia for starting this bug bounty program .

I found a Flash XSS at AT&T main domain where an attacker could stealing credentials of users. Vuln URL: http://www.att.com/media/en_US/scripts/JSAM/JSAM_VideoPlayer.swf?completeHandler= JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}// &source=https://www.wireless.att.com/home/video_progressive/video_marquees/B2CNDA-24-emerald-hp-marquee-bkd.mp4 Payload: JSAM.flashCompleteHandler);}catch(e) {alert(document.cookie);}// Flash Vuln Code: public function videoPlayer_completeHandler(_arg1:VideoEvent):void{ if (ExternalInterface.available){ ExternalInterface.call(completeHandler, ExternalInterface.objectID); } else { trace("JSAM_VideoPlayer cannot call completeHandler because ExternalInterface is not available."); }; } Proof: After 2 months AT&T Response: I hope to be on the top 10 Award :)