Ever thought of hacking any Google application? Google pays off to those who find security vulnerabilities in its products!
Well, this quarter 2 of the 24 ‘Honorable Mentions’ from around the world in the Google Application Security ‘Hall of Fame’ two Pakistani names have been mentioned. Mirza Burhan Baig & Ashar Javed are the ones who reported vulnerabilities in Google products and have been named in a list where you can see genius people from all around the globe. More details about the program can be found here: http://goo.gl/DkPnIK
We asked Mirza Burhan Baig about his experience, what he did and all that! Let’s have a quick look over an interesting facts.
Orkut, a Google product and a Social network used by world many years ago, all traffic now goes to Facebook and other popular social networks but still Google cares about the security issues of its products. Google offers reward money and honorable mentions for finding vulnerabilities and logical bugs.
He further adds that
Although I was not paid by the panel, but still I love Google 😀
So this is about XSS (Cross Site Scripting) in Orkut.com! He further adds to it that “my story of Orkut begins some days back. I was checking the filtering in the orkut search and other input fields. Then suddenly I took a look at the sidebar/panel under Profile Picture. I saw something like “your mood or headline…”. I thought to inject some XSS Vector to test it… 😉
As soon as I did put my vector in that field it filters out the XSS Vector…Woops! Disappointment. So cutting it short I thought to hit Mobile version of Orkut! And when I opened that and tried to put that vector in the mood input field, it pops up!”
In short the input validation was weak on mobile site of Orkut! Main website Orkut.com filters the Vector where as mobile version on the website is not filtering the vector and calling the vector from the main website!