$18337 XSS and SSRF Google Dataset – In 2018 Security researcher [@signalchaos] uncovered critical vulnerabilities within Google’s Public Data Explorer, shedding light on of potential stored XSS attacks and SSRF exploits.
The Dataset Publishing Language (DSPL), a core component of the Explorer’s functionality, was identified as the focal point for these security concerns.
The vulnerability stems from the Google Public Data Explorer’s use of dataset metadata without implementing robust context-aware encoding or validation. Exploiting this flaw involves manipulating metadata values within a sample dataset, enabling threat actors to inject malicious JavaScript payloads.
Specifically, by altering the name value in the dataset.xml file, attackers could execute arbitrary JavaScript within the secure confines of www.google.com.
To emphasize the severity of the issue, a video proof-of-concept (POC) was provided, demonstrating the successful execution of a stored XSS attack on www.google.com (watch the video here1 or here2).
The process entails crafting Dataset Publishing Language bundles, subtly manipulating metadata, and then publicly sharing the compromised dataset.
Lead to SSRF (port scan)
Moreover, DSPL’s functionality, designed to fetch data from remote sources, introduced a secondary threat. The researcher identified that this feature, if exploited, could lead to SSRF attacks, enabling threat actors to access local services.
A crafted dataset.xml file exemplified this, attempting to retrieve data from ftp://0.0.0.0:22, which exposed the local SSH banner response—a service not publicly accessible.
USD 18000 Total Bounty for XSS and SSRF Google Dataset
The researcher responsibly disclosed these vulnerabilities to Google in January 2018. By February of the same year, Google verified and promptly addressed the reported issues. Recognizing the gravity of the flaws, Google’s Vulnerability Rewards Program (Google VRP) awarded the researcher $5000 for the stored XSS issue and an additional $13337 for the SSRF vulnerability.
This incident underscores the ongoing necessity for robust security measures in data visualization tools. Google’s proactive response reflects a commitment to fortifying the security of its Public Data Explorer, underscoring the broader industry’s continuous efforts to mitigate emerging cybersecurity threats. As digital landscapes evolve, vigilance and swift action remain paramount in safeguarding against potential exploits.
Link to read full write up: here
Save the PDF here