Stored XSS in Google Ads Android Application— $3133.70

Introduction

This article is a write up on how I found a Stored XSS in Google Ads Android Application where I was rewarded with $3133.70 I was waiting for the fix and after discussing with Google Security Team I am disclosing my finding.

Currently I am ranked in Top 200 at Google Hacker’s Ranking ,

What is Stored XSS

Stored XSS attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent XSS.

Vulnerability exploitation

When you have a large scope to hack it is always difficult to choose the target, but this time I wanted to hack on Google Ads as I have seen many reports regarding XSS on Google Ads and as always I wanted to get XSS my all time favorite.

I started listing bugs found on Google Ads and I was amazed to look at some awesome XSS. So I started hunting it was 3 days on same target did everything with bypasses but no luck didn’t found any XSS.

Now it was time to change my methodology, I left web application and went to Google Ads Android Application and its very difficult to get XSS on Android Application easily.

Here also I tried everything but no luck again I was not able to find even a reflection here, but yes I won’t give up easily. In Billing and Payments option in Android application I saw a weird behavior under Setting my html code was executed which was added in Google Payments → Payments Profile → Business name and now yes let’s chain this to XSS.

Now I went to Google Payments and tried XSS payloads and yes anchor tag did my work then I went to Google Ads android application and yes after clicking on hyperlink there was my XSS, so here HTML Injection + Stored XSS and,

Here I have some evidence, as we cannot take screenshot on Google Ads android application so I took photo of it.

Without wasting time I wrote a nice report and sent to Google and after 2–3 weeks I received mail again and this time I was rewarded with $3133.70

POC Video:

Happy to Hack Google again !!

If you need any help or want to connect, you can connect with me via LinkedIn at https://in.linkedin.com/in/ashish-dhone-640489135

I hope it will help you somewhere with your journey !!

Thanks for Reading !!

./Keep_Hacking

Information Security Analyst at Persistent Systems | Synack Red Team Member | CEH v10 | CEH Master | Bug Bounty Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store