InfoSecBulletin Cybersecurity for mankind
The writing is first published to medium where Henry N. Caga wrote about how he find out Google’s vulnerability and achieved hall of fame recognition.
Henry N. Caga wrote I stumbled upon a discovery that sent shockwaves through my system: an XSS (Cross-Site Scripting) vulnerability lurking within one of Google’s sub-domains. This vulnerability not only revealed a potential entry point for malicious actors but also shed light on the critical importance of robust cybersecurity practices, even for tech giants like Google. This discovery led to my advancement in the Google’s Hall of Fame and a reward. Read on to find out how much Google rewards for this discovery.
Check Point said BreachForum post old data
Apple Warns of 3 Zero Day Vulns Actively Exploited
24,000 unique IP attempted to access Palo Alto GlobalProtect portals
CVE-2025-1268
Patch urgently! Canon Fixes Critical Printer Driver Flaw
Within Minute, RamiGPT To Escalate Privilege Gaining Root Access
Australian fintech database exposed in 27000 records
Over 200 Million Info Leaked Online Allegedly Belonging to X
FBI investigating cyberattack at Oracle, Bloomberg News reports
OpenAI Offering $100K Bounties for Critical Vulns
Splunk Alert User RCE and Data Leak Vulns
Discovery:
As a cybersecurity enthusiast, I often engage in what some might call “ethical hacking” — the search for vulnerabilities within systems with the intent to improve security. While exploring various sub-domains of popular websites, I came across an unassuming sub-domain and URL linked to Google.
This URL caught my eye:
https://aihub.cloud.google.com/url?q=https://cidadesmineradoras.com.br
At first glance, I had a gut feeling that this URL might be vulnerable.
Bug Hunting Tip #1: Always trust your instincts. If a URL seems vulnerable to you, it probably is!
I attempted to input various payloads into the ‘q’ parameter to see if I could uncover anything interesting or find a vulnerability, but unfortunately, I was unsuccessful. After trying different payloads without success, I decided to focus on my favorite XSS payload. I began tweaking and refining it.
Payload to Use: “><SvG/onload=alert(document.domain) id=hncaga>
To make this work correctly, I need to ‘URL encode’ special characters such as spaces, parentheses, etc.
The complete URL will be: https://aihub.cloud.google.com/url?q=https://cidadesmineradoras.com.br%22%3E%3CSvG/onload=alert(document.domain)%20id=hncaga%3E
Of course, this also didn’t work because this payload had already been included in my previous tests on this target URL.
What I did next was ‘URL encode’ all the characters of my payload to see if it could bypass filtering. Click here to read the full report.
