A security researcher late last week disclosed that they found two vulnerabilities in the Google Cloud Platform, one on DevSite, the other on Google Play — bad code that could have led to hijacked accounts via cross-site scripting (XSS) attacks.
The two bugs were reported by NDevTK, who posted a tweet with a link to the researcher’s GitHub page. The researcher earned a $3,133.70 bounty for the DevSite bug and $5,000 for finding the vulnerability in Google Play.
For the DevSite bug, the NDevTK said an attacker-controlled link could run JavaScript on the origins of http://cloud.google.com and http://developers.google.com, which means a bad actor could read and modify its contents, bypassing the same-origin policy.
The Google Play bug was a Document Object Model-based XSS attack. The researcher reported that on the search page of the Google Play console, vulnerable code was run when the search resulted in an error, which is fairly easy for an attacker to do.
XSS attacks have been an issue for a long time and it’s proven difficult to fully eradicate them,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “The more complex the code becomes, the easier it is to miss closing off all the potential vulnerabilities,” Parkin said.
Casey Bisson, head of product growth at BluBracket, added that progressive teams are using automated security tools to help developers detect and eliminate questionable coding practices and secrets in code such as, default passwords or backdoor passcodes, at every commit and pull request.
“The next step is integrating application security engineers earlier in the development process to proactively design security into products and services,” Bisson said.