############################################################# # Exploit Title: Google Adservice - Arbitrary Text Reflected # Google Dork: site:adservice.google.com # Date: 2020-09-24 # Exploit Author: Gh05t666nero # Team: IndoGhostSec # Vendor: google.com # Software Version: * # Software Link: N/A # Tested on: Linux 4.14.117-perf+ #2 SMP PREEMPT Tue Sep 15 17:54:50 CST 2020 aarch64 Android ############################################################# [*] Vuln Info: ============ This vulnerability is suffered by all Google adservice subdomains worldwide, in other words adservice.google.* This vulnerability poisoned the title on the adservice subdomain which resulted in us being able to inject arbitrary texts so that the existing title on our target will experience changes according to our will. ############################################################# [*] Google Response: ================= buganizer-system@google.com Changed component: 310426 → 310543 status: New → Intended Behavior mo...@google.com added comment #4: Hey, We've investigated your submission and made the decision not to track it as a security bug. Reflecting text in a web application or an e-mail message is a known issue with too little practical impact, if the resulting text/HTML is sanitized and allows only for a limited formatting (e.g. XSS is not possible). Please read here for our rationale for this issue. This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and we feel the issue you mentioned does not meet that bar. If you think we've misunderstood, please do let us know! _______________________________ Reference Info: 169154143 other in adservice.google.com (WebApps) component: 310543 status: Intended Behavior reporter: gh05t666nero@gmail.com cc: gh05t666nero@gmail.com, wo...@google.com type: Customer Issue priority: P4 severity: S4 retention: Component default [i] Yep, they consider this vulnerability valid but at the same time they consider it Out of Scope because this vulnerability will not threaten Google users ############################################################# [*] Vulnerable path: ================ /ddm/fls/[Payload] ############################################################# [*] Demo: ======= https://adservice.google.com/ddm/fls/poisoned%20by%20gh05t666nero%20ft%20indoghostsec https://adservice.google.co.id/ddm/fls/poisoned%20by%20gh05t666nero%20ft%20indoghostsec https://adservice.google.co.uk/ddm/fls/poisoned%20by%20gh05t666nero%20ft%20indoghostsec https://adservice.google.co.kr/ddm/fls/poisoned%20by%20gh05t666nero%20ft%20indoghostsec ############################################################# [*] Contact: ========= # Website: www.anonsec.my.id # Telegram: t.me/Gh05t666nero # Instagram: instagram.com/ojan_cxs # Twitter: twitter.com/Gh05t666nero1