Google Keep DOS – On July 30, 2021, bug hunter Tommaso De Ponti uncovered a critical vulnerability within Google Keep, a widely-used note-taking application. The vulnerability, identified as a client-side Denial of Service (DoS) exploit, could potentially block users from accessing their Keep notes.

During his investigation, De Ponti noticed an unusual behavior in Keep’s note functionality: a maximum character limit with accompanying filters to prevent misuse. However, he discovered that the character “Ⱦ” could bypass these filters, allowing for the insertion of an excessive number of characters into a note.

This discovery led De Ponti to develop a payload using the “Ⱦ” character to flood a Keep note with an overwhelming number of characters. Furthermore, by exploiting the note-sharing feature, he could distribute these malicious payloads to unsuspecting users, effectively blocking access to their Keep notes upon opening the shared note.

Despite the significant impact of the vulnerability, the bounty awarded by Google VRP to De Ponti was only $500, a relatively modest sum. Nevertheless, this discovery underscores the importance of rigorous security testing and ongoing efforts to protect digital platforms.

Looking ahead, De Ponti remains committed to sharing his findings and insights on cybersecurity, bug hunting, and related topics. His Twitter account serves as a valuable resource for knowledge sharing and collaboration within the cybersecurity community. Stay tuned for further updates and discoveries from this dedicated bug hunter.

Link to read full write up: here

Save the PDF here