Skip to main content

Dangerous XSS Persistent at


Waze is currently using its second generation map editing interface. Known as the Waze Map Editor (or WME for short), it is the default editor for Waze since September 19, 2011. This editor interface is internally code-named "Papyrus", and was functionally upgraded on April 21, 2013. 


When adding an alternate city and street name was possible to inject a nice XSS.

If I save on the editor all users that click on the street get the XSS.

Google Response:

Next time I will wait 6 months :)

Report: Wed, Jun 26, 2013 at 7:53 PM 
Fix: Tue, Jul 02, 2013 at 9:00 PM

Popular posts from this blog

Store XSS on Shopping Express Checkout [Reward]

Google Shopping Express   is a same-day shopping service ("shop local stores online and get items delivered on the same day") from   Google   that was launched on a free trial basis in   San Francisco   and   Silicon Valley   in spring 2013 and publicly in September that year. This store XSS was showing at "Shopping Express Checkout" and by adding payload on the parameter "City" in I could bypass restrictions and trigger this XSS back on Google Checkout. Image of Proof: This XSS was trigger just before paying pretty handy don't you think? Well I report this to Google Security Team and they reply very quick. Fixing this bug within a week: I'm very happy to be back on Google Hall of Fame and I like to thanks Google Security Team for the reward. I create a video reproducing this XSS:

Dangerous Persistent XSS at [FIX], is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.  HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood. With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS. I report a similar bug to a few months ago .  Nokia Reponse:   Thanks to Nokia for starting this bug bounty program .

On the Wall of Fame of SproutSocial

Nice I'm on the Wall of Fame of