InfoSecBulletin Cybersecurity for mankind
The writing is first published to medium where Henry N. Caga wrote about how he find out Google’s vulnerability and achieved hall of fame recognition.
Henry N. Caga wrote I stumbled upon a discovery that sent shockwaves through my system: an XSS (Cross-Site Scripting) vulnerability lurking within one of Google’s sub-domains. This vulnerability not only revealed a potential entry point for malicious actors but also shed light on the critical importance of robust cybersecurity practices, even for tech giants like Google. This discovery led to my advancement in the Google’s Hall of Fame and a reward. Read on to find out how much Google rewards for this discovery.
Best Cybersecurity Certifications for Your Career in 2025
CVE-2024-40766
48,000+ Vulnerable SonicWall Devices exposed to ransomware attack
India releases draft Digital Personal Data Protection Rules
Microsoft to invest $80 Billion in AI Data Center
City Bank Customer financial reports posted dark market for sale
3.3 Million Email Server Expose User Passwords and Messages in Plain Text
Memory-Dump-UEFI
Researcher dumping memory to bypass BitLocker on Windows 11
CVE-2024-49112
PoC Exploit Released for Zero-Click vulnerability in Windows
Financial Threat Assessment 2024
BCSI marks Bangladeshi 28 banks high, 10 medium for cyber attack
Misconfigured Kubernetes RBAC in Azure Airflow Could Expose Entire Cluster
Discovery:
As a cybersecurity enthusiast, I often engage in what some might call “ethical hacking” — the search for vulnerabilities within systems with the intent to improve security. While exploring various sub-domains of popular websites, I came across an unassuming sub-domain and URL linked to Google.
This URL caught my eye:
https://aihub.cloud.google.com/url?q=https://cidadesmineradoras.com.br
At first glance, I had a gut feeling that this URL might be vulnerable.
Bug Hunting Tip #1: Always trust your instincts. If a URL seems vulnerable to you, it probably is!
I attempted to input various payloads into the ‘q’ parameter to see if I could uncover anything interesting or find a vulnerability, but unfortunately, I was unsuccessful. After trying different payloads without success, I decided to focus on my favorite XSS payload. I began tweaking and refining it.
Payload to Use: “><SvG/onload=alert(document.domain) id=hncaga>
To make this work correctly, I need to ‘URL encode’ special characters such as spaces, parentheses, etc.
The complete URL will be: https://aihub.cloud.google.com/url?q=https://cidadesmineradoras.com.br%22%3E%3CSvG/onload=alert(document.domain)%20id=hncaga%3E
Of course, this also didn’t work because this payload had already been included in my previous tests on this target URL.
What I did next was ‘URL encode’ all the characters of my payload to see if it could bypass filtering. Click here to read the full report.
