An Israeli security researcher has found a cross-site scripting (XSS) vulnerability in a feature of Google Maps that enables users to create their own maps. An attacker could exploit the bug to execute malware in the victim's browser. Zohar Shachar received $10K for finding the bug, which Google fixed in 2019.
- Shachar discovered a way to escape the CDATA section and add arbitrary XML content that would be rendered by the browser, creating the bug.
- To exploit the flaw, an attacker would have to create a new map, rename it with an XSS payload, set its permission to public, exploit it as a KML file, copy the download link, send the link to the victim, and wait for the victim to click it.
- Shachar earned an initial bug bounty of $5K for finding the bug and another $5K for bypassing Google's initial patch.