#############################################################
# Exploit Title: Google Adservice - Arbitrary Text Reflected
# Google Dork: site:adservice.google.com
# Date: 2020-09-24
# Exploit Author: Gh05t666nero
# Team: IndoGhostSec
# Vendor: google.com
# Software Version: *
# Software Link: N/A
# Tested on: Linux 4.14.117-perf+ #2 SMP PREEMPT Tue Sep 15 17:54:50 CST 2020 aarch64 Android
#############################################################
[*] Vuln Info:
============
This vulnerability is suffered by all Google adservice subdomains worldwide, in other words adservice.google.* This vulnerability poisoned the title on the adservice subdomain which resulted in us being able to inject arbitrary texts so that the existing title on our target will experience changes according to our will.
#############################################################
[*] Google Response:
=================
buganizer-system@google.com
Changed
component: 310426 → 310543
status: New → Intended Behavior
mo...@google.com added comment #4:
Hey,
We've investigated your submission and made the decision not to track it as a security bug.
Reflecting text in a web application or an e-mail message is a known issue with too little practical impact, if the resulting text/HTML is sanitized and allows only for a limited formatting (e.g. XSS is not possible).
Please read here for our rationale for this issue.
This report will unfortunately not be accepted for our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and we feel the issue you mentioned does not meet that bar.
If you think we've misunderstood, please do let us know!
_______________________________
Reference Info: 169154143 other in adservice.google.com (WebApps)
component: 310543
status: Intended Behavior
reporter: gh05t666nero@gmail.com
cc: gh05t666nero@gmail.com, wo...@google.com
type: Customer Issue
priority: P4
severity: S4
retention: Component default
[i] Yep, they consider this vulnerability valid but at the same time they consider it Out of Scope because this vulnerability will not threaten Google users
#############################################################
[*] Vulnerable path:
================
/ddm/fls/[Payload]
#############################################################
[*] Demo:
=======
https://adservice.google.com/ddm/fls/poisoned%20by%20gh05t666nero%20ft%20indoghostsec
https://adservice.google.co.id/ddm/fls/poisoned%20by%20gh05t666nero%20ft%20indoghostsec
https://adservice.google.co.uk/ddm/fls/poisoned%20by%20gh05t666nero%20ft%20indoghostsec
https://adservice.google.co.kr/ddm/fls/poisoned%20by%20gh05t666nero%20ft%20indoghostsec
#############################################################
[*] Contact:
=========
# Website: www.anonsec.my.id
# Telegram: t.me/Gh05t666nero
# Instagram: instagram.com/ojan_cxs
# Twitter: twitter.com/Gh05t666nero1