
Finding a $5,000 Google Maps XSS by fiddling with Protobuf - mar1
https://medium.com/@marin_m/how-i-found-a-5-000-google-maps-xss-by-fiddling-with-protobuf-963ee0d9caff#.9eebbzaif
======
hartator
I still think $5,000 is ridiculously low. Lots of research like this fails and
it happens you do the work just to be told someone already filled a similar
bug before.

~~~
danielweber
It seems to be the market clearing price. Lots of companies think "hey, we
offer peanuts and people do all this expensive work for us."

This guy did it to land a job. Hopefully he's done with spec-work like this
and his new employer makes sure to negotiate rates ahead of time for security
reviews.

~~~
slv77
Small bounties may not be extremely effective at getting expensive people to
work for peanuts but they are very effective at destroying the underground
economy where these bugs used to be shared, traded or sold.

Since there is no honor among thieves every buyer has to assume that any bug
they buy will also be sold to other buyers. With even a moderate bug bounty in
place it becomes a prisoners dilemma for all parties who know of the bug. The
first person to disclose the bug captures the bounty and the remaining parties
get shut out.

Since everyone in the market has to assume that everyone else is cheating the
market collapses. Microsoft has a paper on the economic incentives of the
underground economy that covers the topic nicely:

[https://www.microsoft.com/en-
us/research/publication/nobody-...](https://www.microsoft.com/en-
us/research/publication/nobody-sells-gold-for-the-price-of-silver-dishonesty-
uncertainty-and-the-underground-economy/)

------
hgears
Fantastic analysis of a complex system. Congrats on the bounty! +1 for
dropping that you're looking for work at the end, that's a great resume post.

------
scriptsmith
Fantastic write-up. Scripting with Chrome's debug tools seems to be a
promising way to find exploits among minified js.

------
n13
Just wondering if anybody from Google asked you to apply for positions there
after this?

~~~
timdierks
@mar1, I've forwarded your interest in finding a job to our security
recruiting lead. We don't have a relevant office in the desired location, but
happy to discuss. Feel free to reach out, my email is dierks@google.com.

~~~
n13
This is the reason why I love people at Google. They do listen! :-)

------
mpeg
Very clever use of the Chrome debugger APIs.

We should connect, my company doesn't have anyone fully remote right now but
maybe we could do in the near future...

------
zippy786
Awesome find and write up. Wondering why you did not get the full $7500 for
this

[https://www.google.com/about/appsecurity/reward-
program/inde...](https://www.google.com/about/appsecurity/reward-
program/index.html#rewards)

How come accounts.google.com more severe than others for XSS ?

~~~
jonknee
> How come accounts.google.com more severe than others for XSS ?

Because that's where the jewels are: "Control, protect, and secure your
account, all in one place"

------
nicoboo
Well done and well explained. Great thing to share your thoughts in open-
source as well. I wish you the best with your job research, companies like
Advance or Octo would be great places for you in France, based on the skills
you showed.

------
z3t4
Do you always get the bounty ? Or do they sometimes fix the bug and ignore you
?

------
lindgrenj6
Very cool! I didn't know that chrome's debug tools were so powerful.

------
hamilyon2
Could this type of vunerability be found using some clever fuzzer?

~~~
CorvusCrypto
A lot of vulnerabilities like this are found with fuzzing. Same with poor
encryption schemes. Depends what your definition of clever is but normally
fuzzing is an intermediate research step to just see what response you get as
you change input to ascertain information of what's going on behind the scenes
so you can use a more directed attack later.

------
otterley
Nice work, Marin. Great detail on your methods and findings.

