Zohar Shachar, head of application security at Wix.com, has recently discovered a cross-site scripting vulnerability, also known as XSS, in Google Maps and rushed to report it to Google. Thanks to his submission, the researcher was awarded a $5,000 reward as part of Google’s bug bounty program.
However, the security expert discovered that the June 7 fix that Google implemented in Google Maps didn’t resolve the problem, so he sent a second report detailing how the patch could be bypassed for a similar exploit. The team at Google acknowledged the problem for a second time, issuing another $5,000 payment to the researcher.
The vulnerability concerns the tool that users can turn to in order to create their own map. Google Maps allows us to export these custom maps to several formats, including Keyhole Markup Language, or KML.
When this format is used, the server issues a response containing CDATA tags that are used for character data that doesn’t need to be read by the browser. But the researcher managed to abuse this feature and launch an XSS attack.
“Specifically, by adding ‘]]>’ at the beginning of your payload (I.e. as the beginning of the ‘map name’), you can escape from the CDATA and add arbitrary XML content (which will be rendered as XML) – leading immediately to XSS,” the researcher explains.
A similar method was used for the attack after Google fixed the vulnerability, only that in this case, the exploit used two CDATA closing tags rather than just one.
Google has already resolved the bug in Google Maps, and the researcher received the second payment as part of the bug bounty program on June 18.