Google bugs stories and the shiny pixelbook.

Peace upon you hunters, hope y'all doing good, My gift from google security team has landed today, Here I am sharing the bugs that got it for me, along the past year (2017) which also ranked me at 7 onto google HOF, anyway, there is nothing special about them, but folks wanted to see them.

appreciation have always had its own Words. Thanks guys @sirdarckcat

— Missoum Said (@missoum1307) February 19, 2018

i was rediscovering the app,I usually do that with google VRP, they push updates and new designs from time to time, and I had just noticed this url loading, nobody would have missed it, 100 percent of hunters would try their bullet in host-callback-url paramter, so did I, and got the XSS fired .
full XSS url was as follow :

2) Stored XSS:
if you ever hunted in then you have seen that they got an option for editing the website of your business location, what you'll be sure of website editing is always ability to inject at least tags like

<a> <img> , and once again, from the editing area click the link button then add your bullet 'javascript:alert(1)', somewhow clicking normally on the the generated link was not firing the XSS, CTRL or Shift + click was needed to fire the XSS.

3)changing your home temperature through leaking your nest access token in referer:
one day i was checking my phone (android device),seen that they wanted to push an update which was the google assistant with her lovely voice lol, after the the assistant installed I ran burpsuite up and start looking around the app and i was lucky that there were too much things to play with.
in google assistant you can control your smart home devices by linking third parties (the ones that control your smart home's devices), what cought my attention in there is "nest" app, as its owned by google and other are just third parties and wont be rewarded, the attack flow was as follow:

the redireting was coming back through <meta http-equiv="refresh" content="0;URL=''" /> you'd have been able to XSS the matter before few years ago, as most browsers now refusing to refresh to a javascript: URL.

anyway, this XSS wasnt rewarded because it works only on older browsers but leaking the nest access token was, sometimes having google products/devices gives you advantges.

4) google Local Guides Stored XSS via AngularJS Injection:
if you used to share reviews, photos, about the places in google maps then you are familiar with google Local Guides product, at some certain level, google will offer you to create a meetup, creating the meetup with angularjs exprestion in name of the meetup was stored and exectued back. contribute whenever you can with google.

5) google maps reflected XSS:
this one was also related to google Local Guides but diffrent root, like every hunter, I have multiple google accounts, at one point, I was trying to access a url from account with creating meetup privilege with account without that privilege and then something interesting show up on screen. a url with paramter and value, i didnt use to see, espcially when you are familiar with google vrp. the value was reflected back nacked , i mean without sanitizing special characters. so the vulnerable url was something like : I forgot to take any screenshots or record the POC, and deleted the report email. beside my account in google local guide has blocked by a google staff. lesson learn here is, always check apps,links,features with low preveillge account espcilally with Google VRP, you got no idea what'll show up.

6) reflected XSS IE only:
this XSS's found after reading

Combination of techniques lead to #DOM Based #XSS in #Google. #VRP #XSS #Google //cc:@sirdarckcat

— Sasi Levi 🎧 (@sasi2103) September 19, 2016
google earthengine is a planetary-scale platform for Earth science data & analysis, decided to take a look, felt it vulnerable and my perspective was correct, when it comes to data, the appalication should be having something like uploading or downloading data, examining the appliaction revealed feature to add data layer from Fusion Table.
i would mention here that this feature was available in some accounts and was not in some accounts, honestly till now i dont know why! uploading the data, showed that the table name stored and without sanitazing but wait, the response was appliaction/json , checking the http headers also showed there was neither x-frame-options nor x-content-type-options, as some of you learn that i am telling the perfect conditions to get an xss on IE 11 by forcing the content-type to be text/html . @cure53berlin's resaerch shows a trick how to do that.
their research is a treasure i highly recommend reading it carefully.
this was a self-stored XSS till i discovered that the adding the data was lacking the CSRF protection,combining thse minor issues:
i could XSS the victim account, sometimes bugs are looking for ya .

these bugs were all i could collect, still there two or three high-bounty bugs but i couldnt find them, i hope you didnt get bored reading it. i highlighted some advices that helps you with google vrp, i would like to thank google security team,especially @sirdarckcat this guy is a strong bridge between hunters and google vrp, just leave us a comment if you feel to at @missoum1307
peace upon you.