Awesome Google VRP Writeups
đ A list of writeups from the Google VRP Bug Bounty program
*writeups: not just writeups
Contributing:
If you have/know of any Google writeups not listed in this repository, feel free to open a Pull Request. Please try to sort the writeups by publication date.
The template to follow when adding new writeups:
- **[MONTH DAY - $BOUNTY]** [TITLE](URL) by [NAME](TWITTER_URL)
If the bounty amount is not available, write $???
.
If no Twitter account is available, try finding something similar, like other social media page or website.
Contributors:
David SchĂźtz, Alex Birsan, Dan Maas, wis4nggeni, Thomas Orlita, CaptainFreak, Akshansh Jaiswal, Nihal, Sriram, Nosa Shandy, Peter Gasper, Abartan Dhakal, Syahri Ramadan, Omar Espino, irsl, santuySec
Thank you! đ
Blog posts:
2021:
- [Mar 08 - $0] Google VRP N/A: SSRF Bypass with Quadzero in Google Cloud Monitoring by Omar Espino
- [Feb 16 - $0] Dropping a shell in Googleâs Cloud SQL (the speckle-umbrella story) by Imre Rad
- [Jan 27 - $???] Hijacking Google Drive Files (documents, photo & video) through Google Docs Sharing by santuySec
- [Jan 18 - $1,337] The Embedded YouTube Player Told Me What You Were Watching (and more) by David SchĂźtz
- [Jan 11 - $5,000] Stealing Your Private YouTube Videos, One Frame at a Time by David SchĂźtz
- [Jan 08 - $3,133.7] Blind XSS in Google Analytics Admin Panel â $3133.70 by Ashish Dhone
2020:
- [Dec 30 - $???] Getting my first Google VRP trophies by Imre Rad
- [Dec 27 - $???] Google VRP Hijacking Google Docs Screenshots by Sreeram KL
- [Dec 22 - $0] SSTI in Google Maps by Zohar Shacha
- [Dec 19 - $0] Google VRP â Sandboxed RCE as root on Apigee API proxies by Omar Espino
- [Nov 12 - $31,337] 31k$ SSRF in Google Cloud Monitoring led to metadata exposure by David Nechuta
- [Oct 08 - $30,000] The mass CSRFing of *.google.com/* products. by Missoum Said
- [Oct 01 - $5,000] Google bug bounty: XSS to Cloud Shell instance takeover (RCE as root) - $5,000 USD by Omar Espino
- [Sept 29 - $???] Public Bucket Allowed Access to Images on Upcoming Google Cloud Blog Posts by Thomas Orlita
- [Sept 20 - $500] How I earned $500 from Google - Flaw in Authentication by Hemant Patidar
- [Sept 08 - $10,000] XSS->Fix->Bypass: 10000$ bounty in Google Maps by Zohar Shacha
- [Sept 07 - $1,337] My first bug in google and how i got CSRF token for victim account rather than bypass it by Oday Alhalbe
- [Aug 26 - $???] Auth bypass: Leaking Google Cloud service accounts and projects by Ezequiel Pereira
- [Aug 25 - $1,337] How I Tracked Your Mother: Tracking Waze drivers using UI elements by Peter Gasper
- [Aug 22 - $???] The Short tale of two bugs on Google Cloud Productâ Google VRP [Resolved] by Sriram
- [Aug 19 - $???] The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer by Allison Husain
- [Aug 18 - $???] How to contact Google SRE: Dropping a shell in Cloud SQL by Ezequiel Pereira
- [Aug 18 - $???] Three More Google Cloud Shell Bugs Explained by David Dworken
- [Aug 15 - $???] How I was able to send Authentic Emails as others - Google VRP [Resolved] by Sriram
- [July 28 - $1,337] Authorization bypass in Googleâs ticketing system (Google-GUTS) by Zohar Shacha
- [July 17 - $5,000] Idor in google product by baluz
- [June 15 - $3,133.7] SMTP Injection in Gsuite by Zohar Shacha
- [June 6 - $500] How i earned $500 from google by change one character . by Oday Alhalbe
- [June 4 - $???] Privilege Escalation in Google Cloud Platform's OS Login by Chris Moberly
- [May 21 - $31,337] RCE in Google Cloud Deployment Manager by Ezequiel Pereira
- [May 10 - $???] Bypassing Firebase authorization to create custom goo.gl subdomains by Thomas Orlita
- [May 8 - $4133.70] Bypass XSS filter using HTML Escape by Syahri Ramadan
- [May 7 - $3,133.7] DOM-Based XSS at accounts.google.com by Google Voice Extension by Missoum Said
- [May 7 - $???] Google Acquisition XSS (Apigee) by TnMch
- [May 3 - $???] DOM XSS in Gmail with a little help from Chrome by Enguerran Gillier
- [Apr 30 - $6,267.4] Researching Polymorphic Images for XSS on Google Scholar by Lorenzo Stella
- [March 27 - $3,133.7] $3133.7 Google Bug Bounty Writeup- XSS Vulnerability! by Pethuraj M
- [March 7 - $5,000] Google Ads Self-XSS & Html Injection $5000 by Syahri Ramadan
- [March 8 - $6,000] The unexpected Google wide domain check bypass by David SchĂźtz
- [Jan 12 - $???] Information Disclosure Vulnerability in the Google Cloud Speech-to-Text API by Dan Maas
2019:
- [Dec 30 - $3,133.7] How did I earn $3133.70 from Google Translator? (XSS) by Beri Bey
- [Dec 19 - $???] SSRF in Google Cloud Platform StackDriver by Ron Chan
- [Dec 16 - $???] 4 Google Cloud Shell bugs explained by Wouter ter Maat
- [Dec 15 - $5,000] The File uploading CSRF in Google Cloud Shell Editor by Obmi
- [Dec 15 - $5,000] The oauth token hijacking in Google Cloud Shell Editor by Obmi
- [Dec 15 - $5,000] The XSS ( type II ) in Google Cloud Shell Editor by Obmi
- [Nov 29 - $1,337] Writeup for the 2019 Google Cloud Platform VRP Prize! by Missoum Said
- [Nov 18 - $???] XSS in GMailâs AMP4Email via DOM Clobbering by MichaĹ Bentkowski
- [Sep 09 - $???] Combination of techniques lead to DOM Based XSS in Google by Sasi Levi
- [Aug 31 - $36,337] $36k Google App Engine RCE by Ezequiel Pereira
- [July 20 - $13,337] Into the Borg â SSRF inside Google production network by Enguerran Gillier
- [ July 10 - $???] Gsuite Hangouts Chat 5k IDOR by Cameron Vincent
- [May 21 - $13,337] Google Bug Bounty: LFI on Production Servers in âspringboard.google.comâ â $13,337 USD by Omar Espino
- [March 29 - $0] Inserting arbitrary files into anyoneâs Google Earth Projects Archive by Thomas Orlita
- [March 26 $3,133.7] How I could have hijacked a victimâs YouTube notifications! by Yash Sodha
- [Feb 12 - $???] Hacking YouTube for #fun and #profit by Alexandru Coltuneac
- [Jan 31 - $???] LFI in Apigee portals by Wouter ter Maat
- [Jan 30 - $7,500] $7.5k Google Cloud Platform organization issue by Ezequiel Pereira
- [Jan 18 - $10,000] $10k host header by Ezequiel Pereira
2018:
- [Dec 12 - $???] XSSing Google Code-in thanks to improperly escaped JSON data by Thomas Orlita
- [Dec 11 - $???] Clickjacking DOM XSS on Google.org by Thomas Orlita
- [Dec 05 - $500] Billion Laugh Attack in https://sites.google.com by Antonio Sanso
- [Nov 19 - $???] XS-Searching Googleâs bug tracker to find out vulnerable source code by Luan Herrera
- [Nov 25 - $???] XSS in Google's Acquisition by Abartan Dhakal
- [Nov 11 - $7,500] Clickjacking on Google MyAccount Worth 7,500$ by Apapedulimu
- [Oct 04 - $???] GoogleMeetRoulette: Joining random meetings by Martin Vigo
- [Sep 05 - $???] Reflected XSS in Google Code Jam by Thomas Orlita
- [Aug 22 - $???] Liking GitHub repositories on behalf of other users â Stored XSS in WebComponents.org by Thomas Orlita
- [Aug - $???] Unauth meetings access by Rojan Rijal
- [May 25 - $???] Waze remote vulnerabilities by PanguTeam
- [March 31 - $5,000] $5k Service dependencies by Ezequiel Pereira
- [March 28 - $???] Stored XSS on biz.waze.com by Rojan Rijal
- [Mar 07 - $13,337] Stored XSS, and SSRF in Google using the Dataset Publishing Language by Craig Arendt
- [Feb 24 - $13,337] Bypassing Googleâs authentication to access their Internal Admin panels by Vishnu Prasad P G
- [Feb 19 - $???] Google bugs stories and the shiny pixelbook by Missoum Said
- [Feb 14- $7,500] $7.5k Google services mix-up by Ezequiel Pereira
2017:
- [Oct 30 - $15,600] How I hacked Googleâs bug tracking system itself for $15,600 in bounties by Alex Birsan
- [Aug - $5,000] Google VRP : oAuth token stealing by Harsh Jaiswal
- [Mar 09 - $5,000] How I found a $5,000 Google Maps XSS (by fiddling with Protobuf) by Marin Moulinier
- [Feb 26 - $3,133.7] Exploiting Clickjacking Vulnerability To Steal User Cookies by Jasminder Pal Singh
- [Jan - $???] Ok Google, Give Me All Your Internal DNS Information! by Julien Ahrens
- [Jan 04 - $???] fastboot oem sha1sum by Roee Hay
2016:
- [Aug 26- $500] $500 getClass by Ezequiel Pereira
- [Feb 28 - $???] Stored, Reflected and DOM XSS in Google for Work Connect (GWC) by Ashar Javed
2015:
- [Dec 8 - $???] Creative bug which result Stored XSS on m.youtube.com by Sasi Levi
- [Oct 29 - $???] XSS in YouTube Gaming by Ashar Javed
- [June 26- $3,133.7] Youtube Editor XSS Vulnerability by Jasminder Pal Singh
2014:
- [Oct 31 - $5,000] The 5000$ Google XSS by Patrik Fehrenbach
- [Oct 26 - $1,337] Youtube XSS Vulnerability [Stored -> Self Executed] by Jasminder Pal Singh
- [Jan 10 - $???] Again, from Nay to Yay in Google Vulnerability Reward Program! by Ahmad Ashraff
- [Aug 13 - $???] I hate you, so I pawn your Google Open Gallery by Ahmad Ashraff
2013:
- [Sep 15 - $3,133.7] XSRF and Cookie manipulation on google.com by Michele Spagnuolo
- [July 08 - $???] Stored XSS in GMail
Unknown Date:
- [??? - $???] XSS vulnerability in Google Cloud Shellâs code editor through mini-browser endpoint by Psi
- [??? - $???] Information leakage vulnerability in Google Cloud Shellâs proxy service by Psi
- [??? - $???] XSS vulnerability in Google Cloud Shellâs code editor through SVG files by Psi
- [??? - $???] CSWSH vulnerability in Google Cloud Shellâs code editor by Psi
- [??? - $3,133.7] Open redirects that matter by Tomasz Bojarski
- [???- $???] Voice Squatting & Voice Masquerading Attack against Amazon Alexa and Google Home Actions by ???
- [??? - $???] Blind XSS against a Googler by Rojan Rijal
- [??? - $???] Multiple XSSs on hire.withgoogle.com by Rojan Rijal
- [??? - $???] Auth Issues on hire.withgoogle.com by Rojan Rijal
- [??? - $???] G Suite - Device Management XSS by Rojan Rijal
Videos:
- [2020 Jul 31] Script Gadgets! Google Docs XSS Vulnerability Walkthrough by LiveOverflow
- $100k Hacking Prize - Security Bugs in Google Cloud Platform by LiveOverflow
- Google Bug Hunters by Eduardo Vela Nava
- Best Of Google VRP 2018 by Daniel Stelter-Gliese
- Great Bugs In Google VRP In 2016 by Martin Straka and Karshan Sharma
- Google Cloud Platform vulnerabilities by Ezequiel Pereira
- Google Paid Me to Talk About a Security Issue! by LiveOverflow
- War Stories from Googleâs Vulnerability Reward Program by GĂĄbor MolnĂĄr
- Secrets of the Google Vulnerability Reward Program by Krzysztof Kotowicz
- XSS on Google Search - Sanitizing HTML in The Client? by LiveOverflow