Multiple security vulnerabilities in domains acquired by Google


Several vulnerabilities have been discovered in domains recently acquired by Google between 2017, April and 2017, September.

The reported vulnerabilities are related to the following domains: and

The flaws are of the following kinds: broken access control, directory traversal and XSS vulnerabilities.

1. Broken Access Control in

Vulnerability: CWE-284

Access Vector: Remote

Security Risk: High

CVSS Base Score: 7.5

CVSS Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability Description

Access control involves the use of several protection mechanisms such as authentication (proving the identity of an actor), authorization (handling access permissions), and accountability (tracking of activities).

The website does not restrict access to private resources from an unauthorized user. Attackers can exploit this flaw to access unauthorized data, such as access other users' private tours.

Proof of Concept

Steps to reproduce:

  1. Log in here:
  2. Now try to access to the following private tour:
  3. Then you will get the following message : "You do not have permission to view this tour."
  4. We were able to bypass this protection and get access to this private tour with the link below:

Then, by checking the downloaded csv file, it is possible to find all information related to this private tour.

The proof of concept is shown in the following picture: Private tour.

Since all private tours have the same format :, it is possible to get an unauthorized access to any tour by following this format :

  1. Note that it is possible to enumerate the ID of private tours.

    First using the following GHDB: intitle:"Sign in"

We got several links like

Brute forcing private IDs also works, as in fact only a few characters change (7 chars).

Timeline (dd/mm/yyyy)

  • 28/05/2017 : Initial discovery
  • 28/05/2017 : Contact with vendor team
  • 30/05/2017 : Vendor response : Nice catch! Vendor response
  • 01/06/2017 : Vendor release fix

2. Directory traversal vulnerability in

Vulnerability: CWE-22

Access Vector: Remote

Security Risk: High

CVSS Base Score: 8.6

CVSS Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Vulnerability Description

A directory traversal vulnerability has been found on This vulnerability allows remote attackers to access restricted directories and read arbitrary files.

Proof of Concept

Steps to reproduce: 1. Click on the link below:

It is possible to download the Gemfile file.

Timeline (dd/mm/yyyy)

  • 16/04/2017 : Initial discovery
  • 16/04/2017 : Contact with vendor team
  • 18/04/2017 : Vendor acknowledgement: Nice catch! Vendor response
  • 05/05/2017 : Bug Patched

3. Stored XSS Vulnerability in

Access Vector: Remote

Security Risk: High

Vulnerability: CWE-79

CVSS Base Score: 7.2

CVSS Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Vulnerability Description

Two cross-site scripting (XSS) vulnerabilities have been found on They allow remote attackers to inject arbitrary JavaScript.

Proof of Concept

Steps to reproduce:

  1. Please login to

  2. Then change your display name to the following payload: <marquee onstart=alert(1)>test

  3. As soon as a victim follows you (, the injections are triggered.

There is also a reflected XSS in the link below (triggered using Firefox):;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

Timeline (dd/mm/yyyy)

  • 07/09/2017 : Initial discovery
  • 07/09/2017 : Vendor notification
  • 12/09/2017 : Vendor responses are shown in the following picture: Reflected XSS
  • 28/11/2017 : Vendor fixes vulnerabilities


  • Issam Rabhi (i dot rabhi at sysdream dot com)