Google AdWords XSS’es

I don't normally disclose vulnerabilities for web applications - but it's Google.
I've been mailing them - and they told me I didn't find anything of relevance.
So they decided not to patch the vulnerabilities.
...and if there isn't any vulnerabilites, I must be able to write about them right?

Okay, it is nothing fancy - really.
Just two reflected XSS'es.

But in my world, an exploit is an exploit.

So here goes XSS #1:

...and XSS #2:

Sadly, I wasn't able to do anything "outwards".
It would've been alot of fun, if I would've been able to run bogus JavaScripts on sites showing my Ad.
Even more sad was the fact I didn't get any credit or reward...

Oh well.

I bet they'll patch these 0-days now at least!

Ciao bella!

Note: This have nothing to do with Jelmers findings.

Fredrik Nordberg Almroth

Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm one of the Co-Founders of Detectify. I'm working closely together with the swedish firm Young & Skilled. ...Not to forget, I'm the previous founder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me on twitter @Almroot.

3 Comments

1. 

   20/05/2011 @ 11:35

   Jelmer de Hen says:

   Good job at getting in the Google HoF with this and getting a nice reward from G$$gle.
   Mathias and I will soon also be in the Google security Hall of Fame for other findings at Google but Fredrik was the first.

2. 

   20/05/2011 @ 13:09

   Fredrik Nordberg Almroth says:

   Thanks mate! I might make a filler post about it!

3. 21/05/2011 @ 21:20

   Google != Evil says:

   [...] Remember back in May? I announced this post: Google AdWords XSS’es. [...]