Skip to main content

Highly XSS at Google Hangouts (Reward)

First of all I like to said this XSS it's stored on Google "sandbox" and it impossible to grap Cookies.

But its possible to send it to an other user using "Google Art Project Add-ons" at

Hangouts allows users to hold conversations between two or more users. The service can be accessed online through the Gmail or Google+ websites, or through mobile apps available for Android and iOS (which were distributed as a successor to their existing Google Talk apps).

This Persistent XSS can be more significant than other types because an attacker's malicious script is rendered automatically when an modify art project it's share to the Victim using hangouts add-ons. 
(like showing under)

(This is an Interactive Chat and can be easy use by anyone) 

I first modify the Art Protect I want to inject at 

Then using Google Art Project Add-ons on "Google Hangouts" I can share it to all users in the chat triggering the XSS.

(Below Google Art Injection Points)

This attack can be use to publish user login cross site scripting attack or other malicious scripts.

Google response:

I like to thanks Google again for this Reward.

Popular posts from this blog

Store XSS on Shopping Express Checkout [Reward]

Google Shopping Expressis a same-day shopping service ("shop local stores online and get items delivered on the same day") fromGooglethat was launched on a free trial basis inSan FranciscoandSilicon Valleyin spring 2013 and publicly in September that year.
This store XSS was showing at "Shopping Express Checkout" and by adding payload on the parameter "City" in I could bypass restrictions and trigger this XSS back on Google Checkout.
Image of Proof:
This XSS was trigger just before paying pretty handy don't you think?
Well I report this to Google Security Team and they reply very quick. Fixing this bug within a week:

I'm very happy to be back on Google Hall of Fame and I like to thanks Google Security Team for the reward.
I create a video reproducing this XSS:

Store XSS on Main page of and Mobile Inteface

Flickr is an image hosting and video hosting website, and web services suite that was created by Ludicorp in 2004 and acquired by Yahoo in 2005. 

Flickr had a total of 87 million registered members and more than 3.5 million new images uploaded daily.In August 2011 the site reported that it was hosting more than 6 billion images and this number continues to grow steadily according to reporting sources.

I start doing my security research on and I found some cool bugs but this XSS was my favorite because the XSS was showing on Flickr main page and on the Mobile interface at

Affecting millions of users for sure..

This attack works by inviting the Victim to a group. The XSS  loads when the victim get notify about a group invitation. Making this XSS very dangerous and perfect to target specific people or people in general.

I report this two bugs to Yahoo Security team and I got two nice reward.

Thanks Yahoo security Team!

Video: Soon.

Dangerous Persistent XSS at [FIX], is a Nokia business unit that brings together Nokia's mapping and location assets under one brand. The technology of Here is based on a cloud-computing model, in which location data and services are stored on remote servers so that users have access to it regardless of which device they use.

 HERE Map Creator is a service launched by Nokia in November 2012 to allow users to map their neighborhood.

With this bug I could SAVE a Road name with a payload on the map. Any user that try on re-edit the street name will get this XSS.
I report a similar bug to a few months ago

Nokia Reponse:

Thanks to Nokia for starting this bug bounty program.