Google got by XXE Vulnerability

It is very true thatBug Bounty Programthat was rlier introduced by the Google and followed by other internet giants Facebook and had rlly helped the organisation much better. With the scheme of giving reward for the unique security loop holes report had rlly helped the security resrcher and a organisation too. This motivate the s/resrcher to expand there knowledge and also making the existence of "Ethical" word in the Cyber Security field.
A Security resrchers and Co-Founders of Detectify havediscovered a critical security vulnerabilityin Google that allowed them to access Internal servers. As per the explanation on the vulnerability resrcher stats that the vulnerability exist on the Google Toolbar button Gallery. Toolbar gallery page allows the users to customize their toolbar with buttons. The page also allows the users to crte their own buttons by uploading the XML file.


This function lds the attackers to execute XML External Entity vulnerabilityby sending the own crafted XML file. After sending the crafted XML file, resrcher is able to rd the internal files stored in the Google product server. By ing this vulnerability further, resrcher managed to rd the "etc/passwd" and "etc/host files on the server.

Further more attacker can also do many task as likelocal file access,SSRFandRemote File includes, Denial of Service and possibleRemote Execution. For this critical report Google rewarded resrcher with $10,000.