Google - Security Bug Report

<!DOCTYPE html> <html class="google" lang="en"> <head><script type="text/javascript" src="/_static/js/bundle-playback.js?v=HxkREWBo" charset="utf-8"></script> <script type="text/javascript" src="/_static/js/wombat.js?v=txqj7nKC" charset="utf-8"></script> <script>window.RufflePlayer=window.RufflePlayer||{};window.RufflePlayer.config={"autoplay":"on","unmuteOverlay":"hidden"};</script> <script type="text/javascript" src="/_static/js/ruffle/ruffle.js"></script> <script type="text/javascript"> __wm.init("https://web.archive.org/web"); __wm.wombat("https://www.google.com/appserve/security-bugs/m2/new?rl=&key=","20210609211103","https://web.archive.org/","web","/_static/", "1623273063"); </script> <link rel="stylesheet" type="text/css" href="/_static/css/banner-styles.css?v=S1zqJCYt" /> <link rel="stylesheet" type="text/css" href="/_static/css/iconochive.css?v=3PDvdIFv" />  <script> (function(H){H.className=H.className.replace(/\bgoogle\b/,'google-js')})(document.documentElement) </script> <meta charset="utf-8"> <meta content="initial-scale=1, minimum-scale=1, width=device-width" name="viewport"> <title> Google - Security Bug Report </title> <link rel="stylesheet" type="text/css" href="/web/20210609211103cs_/https://www.google.com/appserve/security-bugs/m2/css/vsa_app.css"/> <script src="//web.archive.org/web/20210609211103js_/https://www.google.com/js/google.js"></script> <script> new gweb.analytics.AutoTrack({profile:"UA-41780504-1"}); </script> <link href="//web.archive.org/web/20210609211103cs_/https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700&lang=en" rel="stylesheet"> <link href="//web.archive.org/web/20210609211103cs_/https://www.google.com/css/maia.css" rel="stylesheet"> <script src="https://web.archive.org/web/20210609211103js_/https://www.google.com/recaptcha/api.js"></script> </head> <body> <div class="maia-header" id="maia-header" role="banner"> <div class="maia-aux"> <h1><a href="//web.archive.org/web/20210609211103/https://www.google.com/"><img alt="Google" src="//web.archive.org/web/20210609211103im_/https://www.gstatic.com/images/branding/googlelogo/1x/googlelogo_color_120x48dp.png"></a></h1> </div> </div> <div id="maia-main" role="main"> <form> <div id="_vsaq_body"></div> </form> <form method="POST" id="hidden_form"> <textarea id="_vsaq_template">{"items": [{"type": "block", "text": "Report a security vulnerability", "id": "item-84", "cond": "", "className": "", "items": [{"type": "info", "text": "<p>If you have found a security or an abuse risk related bug in a Google product and want to report it to us, you've come to the right place. Please fill out the following form and we'll be in touch shortly. If this is a valid vulnerability report, it might also be eligible for a reward as part of our <a href=\"https://www.google.com/about/appsecurity/reward-program/index.html\">Vulnerability Reward Program</a>. Thanks!", "id": "item-20", "cond": "!config_done && !continue_next", "className": "", "default": "", "placeholder": ""}, {"type": "tip", "text": "\n<p>This is the right place to report a product security bug to the Information Security Engineering team. A couple things to keep in mind:</p>\n<ul>\n <li><strong>Please describe the issue as if the person reading it had no knowledge of the affected product.</strong></li>\n <li><strong>If there's already a tracking bug</strong> for the reported issue, please link to it in the technical details section.</li>\n <li>Googlers are not qualified for monetary rewards. Some text on this page and in automated notifications might refer to monetary rewards, please ignore those.</li>\n <li>Android platform and Chrome bugs should be reported to their respective security teams, not here (links will appear below if you select one of those options).</li>\n <li>For more information, see <a href=\"https://goto.google.com/vuln-docs\">go/vuln-docs</a>.</li>\n</ul>\n", "id": "googler_info", "cond": "config_googler", "className": "", "default": "", "placeholder": "", "customTitle": "Hi Googler!"}, {"type": "info", "text": "<b>Thanks! we received your report</b>. If you reported a valid security vulnerability we will get back to you within one business day.", "id": "item-21", "cond": "config_done", "className": "maia-notification", "default": "", "placeholder": ""}, {"type": "tip", "text": "There was an error submitting your report. Please review the submission and try again.", "id": "item-22", "cond": "config_errors", "className": "error", "default": "", "placeholder": "", "customTitle": "Error"}, {"type": "block", "text": "Problem description", "id": "item-38", "cond": "!continue_next && !config_whitelisted && !config_done", "className": "", "items": [{"type": "block", "text": "Please describe the issue you wish to report.", "id": "item-23", "cond": "", "className": "", "items": [{"type": "radio", "text": "I'm experiencing a security problem with my Google account.", "id": "problem_account", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I want to remove content on Google Search, Youtube, Blogger, or another service.", "id": "problem_data", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I have a privacy doubt or a privacy-related question about Google products and services.", "id": "problem_privacy", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I found a security bug in Google \"forgot password\" feature.", "id": "problem_account_recovery", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I found a problem in the Google Certificate Authority.", "id": "problem_pki", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I want to report a Google Cloud customer running insecure software that could potentially lead to compromise.", "id": "problem_cloud_abuse", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I want to report a technical security or an abuse risk related bug in a Google product (SQLi, XSS, etc.).", "id": "problem_vuln", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I want to report a scam, malware, or other problems not listed above.", "id": "problem_scam", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "tip", "text": "\n<p>If you are looking to report a security incident involving Google certificates, please click <label class=\"inline\" for=\"problem_vuln\">here</label>, otherwise:</p>\n<ul>\n <li>To review the frequently asked questions to the Google PKI team, visit their FAQ <a href=\"https://pki.goog/faq.html\">here</a>.\n <li>If you have more questions, contact the Google PKI team at <a href=\"mailto:contact@pki.goog\">contact@pki.goog</a>.\n</ul>", "id": "item-24", "cond": "problem_pki", "className": "", "default": "", "placeholder": "", "customTitle": "Google PKI"}, {"type": "tip", "text": "\n<p>Around <strong>90%</strong> of reports we receive describe issues that are not security vulnerabilities, despite looking like one. For example:</p>\n<ul>\n<li><p><strong>I'm receiving e-mail messages addressed to another user with a similar name.</strong><p>It's most likely a typo made by that other person (please note that <i>bob.foo@gmail.com</i> is actually the same account as <i>bobfoo@gmail.com</i>). Go ahead and read <a href=\"https://goo.gl/o7XgV\">this article</a> for an explanation, it's not a bug.</li>\n<li><p><strong>XSS in <i>translate.googleusercontent.com</i> or <i>yourblog.blogspot.com</i></strong><p>These are examples of <a href=\"https://goo.gl/KaPfYz\">sandbox domains</a> created exactly so that XSS there does not pose risk to our users. It's not a vulnerability.</li>\n</ul>\n<p>But there's more! If you're a security researcher, make sure to look at the list at our <a href=\"https://goo.gl/5cwTvx\">Bughunter University</a> before continuing.\n", "id": "top_nonvulns", "cond": "problem_vuln && !config_whitelisted", "className": "", "default": "", "placeholder": "", "customTitle": "Did you know?"}, {"type": "block", "text": "This form is not the right place to report security problems with your account, but me might be able to point you to the right one. Tell us more about your problem.", "id": "item-25", "cond": "problem_account", "className": "", "items": [{"type": "check", "text": "I received a warning about a suspicious login to my account.", "id": "account_login", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I don't remember my password or need to reopen an old account.", "id": "account_locked", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "My account has been hijacked.", "id": "account_hijacked", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "There is unexpected activity on my account.", "id": "account_suspicious", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I'm seeing someone else's data.", "id": "account_someone_else", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I need help restoring the contents of my account.", "id": "account_hacked", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I'm receiving e-mail messages addressed to another user with a similar name.", "id": "account_email", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I'm receiving spam in my Gmail or my contacts say I'm sending them spam from my Gmail.", "id": "account_spam", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "block", "text": "What type of information do you want to remove?", "id": "item-26", "cond": "problem_data", "className": "", "items": [{"type": "check", "text": "I want to remove data from YouTube.", "id": "remove_youtube", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I want to remove data from Google Search.", "id": "remove_search", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I want to remove data from Streetview.", "id": "remove_streetview", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I want to remove data from Google Maps.", "id": "remove_maps", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I want to remove data from Orkut.", "id": "remove_orkut", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I want to remove data from Blogger.", "id": "remove_blogger", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "block", "text": "Provide additional details about the offending content.", "id": "item-27", "cond": "problem_scam", "className": "", "items": [{"type": "check", "text": "I've received a message about winning a prize or lottery from Google or want to report fraudulent content purporting to be from Google..", "id": "scam_lottery", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I want to report a website that hosts malicious software.", "id": "scam_malware", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "I want to report something else.", "id": "scam_other", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "tip", "text": "\nTo find answers to many common questions and concerns about privacy and user data related to any Google product or service please visit our <a href=\"https://goo.gl/rCAXJp\" target=\"_self\"><strong>Privacy Troubleshooter</strong></a>.\n", "id": "privacy_questions", "cond": "problem_account || problem_privacy || problem_data || scam_other", "className": "", "default": "", "placeholder": "", "customTitle": "Privacy questions?"}, {"type": "tip", "text": ".\n If you have discovered an instance of a customer-managed service hosted on Google Cloud that is not currently abusive, but has a security vulnerability that might lead to compromise and abuse, you can report it <a href=\"https://support.google.com/code/contact/cloud_platform_report?hl=en\" target=\"_self\">here</a> or by email at <a href=\"mailto:google-cloud-compliance@google.com\">google-cloud-compliance@google.com</a>.\n", "id": "cloud_abuse_tip", "cond": "problem_cloud_abuse", "className": "", "default": "", "placeholder": "", "customTitle": "Google Cloud Abuse"}, {"type": "block", "text": "What is the security issue in <a href=\"https://accounts.google.com/signin/recovery\">forgot password</a> feature you wish to report?", "id": "item-28", "cond": "problem_account_recovery", "className": "", "items": [{"type": "radio", "text": "I successfully hijacked a Google account, pretending to be an attacker.", "id": "problem_account_recovery2_regular", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Someone hijacked my Google account.", "id": "problem_account_recovery2_iamhacked", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "info", "text": "\n<p>We're sorry to hear that. To recover access to your account, please <label class=\"inline\" for=\"problem_account\">continue here</label> and select the 'My account has been hijacked.' option.</p>\n", "id": "item-29", "cond": "problem_account_recovery2_iamhacked", "className": "", "default": "", "placeholder": ""}, {"type": "block", "text": "What is the type of issue that you exploited?", "id": "item-30", "cond": "problem_account_recovery2_regular", "className": "", "items": [{"type": "radio", "text": "The questions Google asked me in the process are too easy to guess.", "id": "problem_account_recovery3_questions_easy", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I was asked too few questions before getting access to an account.", "id": "problem_account_recovery3_questions_few", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I was let in to the account, while my answers to questions were incorrect.", "id": "problem_account_recovery3_answers_invalid", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Restoring the access to an account was otherwise easy.", "id": "problem_account_recovery3_too_easy", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "info", "text": "<p>If we're confident enough that the owner tries to recover their own account, the questions we ask may be easier, than when we're suspecting you're the attacker.</p>", "id": "item-31", "cond": "problem_account_recovery3_questions_easy", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "<p>Sometimes few questions are asked if we're confident (based on many other signals) that the user is not the attacker, but the original owner. Attacker would have a much, much harder time.</p>", "id": "item-32", "cond": "problem_account_recovery3_questions_few", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "<p>It turns out people make mistakes, even when recovering their own accounts. Sometimes, when multiple other signals in the recovery process tell us you're the actual owner, we might turn a blind eye to an invalid response. It isn't the case for the attacker though.</p>", "id": "item-33", "cond": "problem_account_recovery3_answers_invalid", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "<p>We use multiple signals when deciding whether to allow an access to an account. To keep your account secure, we cannot speak about many of them, but rest assured the real attacker would experience the process very differently than the original account owner.</p>", "id": "item-34", "cond": "problem_account_recovery3_answers_invalid", "className": "", "default": "", "placeholder": ""}, {"type": "morfeo-thinblock", "id": "problem_account_recovery4", "cond": "problem_account_recovery3_questions_easy || problem_account_recovery3_questions_few || problem_account_recovery3_answers_invalid || problem_account_recovery3_too_easy", "className": "", "items": [{"type": "block", "text": "Was the account previously used on the same browser/computer/IP address that was used to attack?", "id": "item-35", "cond": "", "className": "", "items": [{"type": "radio", "text": "No", "id": "account_recovery_simple_no", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Yes", "id": "account_recovery_simple_yes", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "tip", "text": "\n<p>If the recovery was initiated from the same IP address or a browser that was regularly used to access the account before,\n it's <strong>working as intended</strong>. After all, you should be able to <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/using-google-account-recovery-to-hijack-test-accounts\">recover accounts created by you</a>.</p>\n<p>It might seem surprising at first, but there are many, many signals that are used in account recovery, before the access is allowed. Some of those are difficult to properly assess in small scale testing and it often looks like recovering the access is easier for the attacker than it actually is.</p>", "id": "account_recovery_simple_tip", "cond": "account_recovery_simple_yes", "className": "", "default": "", "placeholder": "", "customTitle": "Not a bug"}, {"type": "info", "text": "\n<p>This initially looks like a bug. However, most of the security reports about the 'forget password' feature we receive turn out to be invalid, so please read about the <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/using-google-account-recovery-to-hijack-test-accounts\">known issues</a> with account recovery first.</p>\n<p>For this kind of security report it's important we got the details right and can reproduce the issue. If the bug you've found works consistently time after time, please <label class=\"inline\" for=\"problem_vuln\">report the vulnerability</label> and we'll be in touch shortly. Thanks a lot!</p>\n", "id": "item-36", "cond": "account_recovery_simple_no", "className": "", "default": "", "placeholder": ""}]}, {"type": "block", "text": "", "id": "item-37", "cond": "problem_scam || problem_account || problem_data", "className": "", "items": [{"type": "radio", "text": "<span class=\"maia-button\">Continue</span>", "id": "continue_next", "cond": "", "className": "", "default": "", "placeholder": ""}]}]}, {"type": "block", "text": "Help", "id": "item-59", "cond": "continue_next", "className": "", "items": [{"type": "info", "text": "<p>Please visit our guide to staying safe online at <a href=\"https://www.google.com/goodtoknow/\"><b>https://www.google.com/goodtoknow/</b></a>. There you will find information on how to protect you and your information online.</p><hr/>", "id": "item-39", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you need help with your Google account, please visit our <a href=\"https://goo.gl/jlLODk\" target=\"_self\"><strong>Privacy Troubleshooter</strong></a>.", "id": "item-40", "cond": "account_login || account_locked || account_hijacked || account_suspicious || account_hacked || account_someone_else", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you have questions about emails you are receiving or sending, or have any questions about Gmail security, please visit our <a href=\"https://goo.gl/1Ww6Ha\" target=\"_self\">Privacy Troubleshooter</a>.", "id": "item-41", "cond": "account_email || account_spam", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you received a suspicious login warning, please read the information on this <a href=\"https://goo.gl/Qt6KJ\">page</a>.", "id": "item-42", "cond": "account_login", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you are locked out of your account or you forgot your username or password for an old account, <a href=\"https://goo.gl/U13VC\">click here to go through our account recovery process</a>.", "id": "item-43", "cond": "account_locked || account_hijacked", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "\n<p>Are you seeing unexpected activity on your account and you suspect your or someone else's Google account has been hijacked? Follow these links to investigate:</p>\n<ul>\n<li>Make sure that there are no unknown devices connected to the account - look at <a href=\"https://goo.gl/nbVbd\">Recently used devices</a> page.</li>\n<li>Complete the <a href=\"https://goo.gl/BLhMHN\">Security Checkup</a> to make sure the account is securely configured.</li>\n<li>If you believe your account was recently compromised, follow <a href=\"https://goo.gl/TQaie\">Gmail security checklist</a> to complete the account recovery process.</li>\n<li>Visit <a href=\"https://goo.gl/27WOL1\" target=\"_self\">this page</a> to search for the solution for the problem you're experiencing.</a></li>\n</ul>\n", "id": "item-44", "cond": "account_suspicious || account_someone_else", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you need assistance in restoring your account settings after a compromise, please complete <a href=\"https://goo.gl/fGGxR\">Gmail security checklist</a>.", "id": "item-45", "cond": "account_hacked || account_hijacked", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you are receiving the email of someone else with a similar name in your Gmail, it's a commonly reported problem and has a very good explanation. Go ahead and read <a href=\"https://goo.gl/o7XgV\">this article</a> for an explanation.", "id": "item-46", "cond": "account_email || account_someone_else", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you are receiving spam in your Gmail or your contacts say you are sending them spam from your Gmail, please read the information on <a href=\"https://goo.gl/LF9ic\">this page</a>.", "id": "item-47", "cond": "account_spam", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you want to report abusive or inappropriate content on Youtube, please <a href=\"https://goo.gl/sV1xc\">click here</a>.", "id": "item-48", "cond": "remove_youtube", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you want to remove a result from Google Search, please <a href=\"https://goo.gl/BbskjF\">go here</a>.", "id": "item-49", "cond": "remove_search", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you want to remove images from Google Streetview, please <a href=\"https://goo.gl/e0FX9\">click here</a>.", "id": "item-50", "cond": "remove_streetview", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you want to remove or correct information in Google Maps, please <a href=\"https://goo.gl/1FR0a\">click here</a>.", "id": "item-51", "cond": "remove_maps", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you are trying to remove information from Orkut, please <a href=\"https://goo.gl/2JWwE\">click here</a>.", "id": "item-52", "cond": "remove_orkut", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you are trying to remove information from a blog hosted in Blogger, please <a href=\"https://goo.gl/DyrHj\">click here</a>.", "id": "item-53", "cond": "remove_blogger", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you want to recover your old YouTube account, or you forgot your YouTube password <a href=\"https://goo.gl/ZzOBD\">click here</a> to initiate a YouTube account recovery.", "id": "item-54", "cond": "account_locked", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you have received a message about winning a prize or lottery from Google. Google does not run lotteries, sweepstakes, or similar programs. E-mails or advertisements claiming otherwise are fraudulent and can be safely reported as spam using <a href=\"https://goo.gl/olZrA\">this page</a>.", "id": "item-55", "cond": "scam_lottery", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If you want to report a site hosting malicious software, you can report it by using <a href=\"https://goo.gl/zWcqe\">this form</a>.", "id": "item-56", "cond": "scam_malware", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "If nothing on this page applies to your problem please search the <a href=\"https://goo.gl/qU2w4\">Google Help Center</a> or visit our <a href=\"https://goo.gl/C12pf\">Product Forums</a> to review the advice provided by the community.", "id": "item-57", "cond": "scam_other", "className": "", "default": "", "placeholder": ""}, {"type": "tip", "text": "If you are still having problems, you can also <a href=\"https://goo.gl/sRVFOi\">start a new thread</a> on our product forums or visit our <a href=\"https://goo.gl/rCAXJp\" target=\"_self\">Privacy Troubleshooter</a>.", "id": "item-58", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "block", "text": "Contact information", "id": "item-61", "cond": "problem_vuln && config_guest", "className": "", "items": [{"type": "info", "text": "<p>Google will use your email address to process your vulnerability report submission and to communicate with you about it. You can <a href=\"https://goo.gl/XW7Wak\"><label for=\"signin\">sign in</label></a> to Google to skip this step. You can also submit the report anonymously, but note that you'll have to provide certain identifying information if you'd like to be eligible to receive a reward.", "id": "item-60", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "line", "text": "What is your <b>name</b>?", "id": "reporter_name", "cond": "", "className": "", "default": "", "inputType": "text", "placeholder": "", "maxlength": 300}, {"type": "line", "text": "What <b>email address</b> can we use to contact you?", "id": "email", "cond": "", "className": "", "default": "", "inputType": "text", "placeholder": "", "maxlength": 300}]}, {"type": "block", "text": "Contact information", "id": "item-63", "cond": "(problem_vuln || config_whitelisted) && !config_guest", "className": "", "items": [{"type": "info", "text": "<p>Google will use your email address to process your vulnerability report submission and to communicate with you about it. If you want to submit a report anonymously, you can <a href=\"http://goo.gl/BoMi9x\">sign out</a> and then fill out the form. Note that you'll have to provide certain identifying information if you'd like to be eligible to receive a reward.", "id": "item-62", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "line", "text": "The <b>email address</b> we will use to contact you", "id": "ignored_email", "cond": "", "className": "ignored", "default": "", "inputType": "text", "placeholder": "", "maxlength": 300}]}, {"type": "block", "text": "Affected product", "id": "item-66", "cond": "problem_vuln || config_whitelisted", "className": "", "items": [{"type": "block", "text": "What type of application is affected?", "id": "item-64", "cond": "", "className": "", "items": [{"type": "radio", "text": "Google Chrome, Chrome OS<br><small>and other Chromium Projects (Blink, NaCl)</small>", "id": "product_chrome", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Android platform<br><small>AOSP code, OEM code - libraries/drivers, kernel and TrustZone</small>", "id": "product_android", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "A Google web service or product<br><small>Gmail, Drive, Search, Cloud etc.</small>", "id": "product_web", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "A Google client application<br><small>Android app, iOS app, Chrome Extension, etc.</small>", "id": "product_client", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Other", "id": "product_other", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "tip", "text": "\n<p>Security bugs in the Android platform are eligible for a reward under the <a href=\"https://www.google.com/about/appsecurity/android-rewards/\">Android Security Rewards Program</a> and are out of scope for Google VRP. If you want to report a bug in:\n<ul>\n<li>Android Open Source Project (<a href=\"https://source.android.com/\">AOSP</a>) code\n<li>OEM code (libraries and drivers)\n<li>Android kernel\n<li>TrustZone OS and modules\n</ul>\nplease read the <a href=\"https://www.google.com/about/appsecurity/android-rewards/\">Android Security Rewards Program</a> rules and <a href=\"https://issuetracker.google.com/issues/new?component=190951&template=1022746\">report the bug here</a> instead.\n<p>If you want to report a security bug in one of Google-authored Android applications (e.g. Gmail, Maps) or you're not sure where the bug is, <label class=\"inline\" for=\"product_client\">continue here</label>.\n", "id": "android_vrp_tip", "cond": "product_android", "className": "", "default": "", "placeholder": "", "customTitle": "Participate in Android Security Rewards Program!"}, {"type": "tip", "text": "\n<p>Security bugs in Chrome and Chrome OS are eligible for a reward under the <a href=\"https://www.google.com/about/appsecurity/chrome-rewards/\">Chrome Vulnerability Rewards Program</a>.\nIn order to send a report as part of the Chrome VRP, please <a href=\"https://code.google.com/p/chromium/issues/entry?template=Security%20Bug\">report the bug here</a> instead.\n<p>If you found a security bug in Google's server-side services, you're not sure where the bug is, or don't want to go through the Chrome VRP, please <label class=\"inline\" for=\"product_web\">continue here</label>.\n", "id": "chrome_vrp_tip", "cond": "product_chrome", "className": "", "default": "", "placeholder": "", "customTitle": "Do you want to participate in Chrome Vulnerability Rewards Program?"}, {"type": "line", "text": "Please enter the URL of the affected product or service.", "id": "url", "cond": "product_web", "className": "", "default": "", "inputType": "url", "placeholder": "Example: http://www.google.com", "maxlength": 300}, {"type": "line", "text": "Please enter the name of the affected application.", "id": "name", "cond": "product_client || product_other", "className": "", "default": "", "inputType": "text", "placeholder": "Example: Google Shopping Express for iOS", "maxlength": 300}, {"type": "block", "text": "Is this a bug in one of Google's acquisitions (e.g. Nest, Firebase, Stackdriver)?", "id": "item-65", "cond": "!config_whitelisted && (product_web || product_other || product_client) && !(matches(url/value, \"google|orkut|youtube|doubleclick|chromium|blogger|appspot|blogspot|gmail|nest|dropcam|virustotal|itasoftware|channel.?intelligence|stackdriver|directr|beatthatquote|boston.*dynamics|spider.io|makani|postini|quickoffice|punchd|deepmind|mdialog|freebase|admob|stackdriver|firebase|pixate|widevine|kaggle|apigee|anvato|orbitera|qwiklabs|dialogflow|bitium|spider[.]io|sagetv|appetas|virustotal|quickoffice|famebit|waze|bitium|appbridge|hallilabs|lytro\", \"i\"))", "className": "", "items": [{"type": "radio", "text": "No", "id": "acquisition_no", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Yes", "id": "acquisition_yes", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "I don't know", "id": "acquisition_dontknow", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "line", "text": "How do you know this is a Google acquisition?", "id": "acquisition_url", "cond": "acquisition_yes", "className": "", "default": "", "inputType": "text", "placeholder": "Example: It was acquired in November 2016 - see http://acquisition.example.com/google-bought-us.html."}]}, {"type": "block", "text": "Vulnerability information", "id": "item-72", "cond": "config_whitelisted || (problem_vuln && (product_web || product_other || product_client))", "className": "", "items": [{"type": "morfeo-thinblock", "id": "vuln_producttype_selected", "cond": "", "className": "", "items": [{"type": "block", "text": "Vulnerability Type", "id": "item-67", "cond": "", "className": "", "items": [{"type": "radio", "text": "Cross-Site Scripting", "id": "vuln_xss", "cond": "product_web", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Cross-Site Request Forgery", "id": "vuln_csrf", "cond": "product_web", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Clickjacking", "id": "vuln_clickjacking", "cond": "product_web", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Authentication or authorization issue", "id": "vuln_auth_bypass", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Other", "id": "vuln_other", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "line", "text": "One-line summary of the vulnerability", "id": "vuln_summary", "cond": "!config_whitelisted && (vuln_other || vuln_auth_bypass)", "className": "", "default": "", "inputType": "text", "placeholder": "", "maxlength": 300}]}, {"type": "morfeo-thinblock", "id": "tips_by_vulntype", "cond": "!config_whitelisted", "className": "", "items": [{"type": "tip", "text": "\nPlease mention in the report in which origin the XSS fires, e.g. <a href=\"https://sites.google.com/site/bughunteruniversity/improve/alert-1-considered-harmful\">use alert(document.domain)</a> instead of alert(1). Check the result with a list of our <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain\">sandboxed domains</a>.\n<p class=\"good-example\"><b>Valid:</b> alert(document.domain) displays \"www.google.com\".</p>\n<p class=\"bad-example\"><b>Invalid:</b> alert(document.domain) displays \"foobar.googleusercontent.com\".</p>\n", "id": "xss_tips", "cond": "vuln_xss", "className": "", "default": "", "placeholder": ""}, {"type": "tip", "text": "\nMake sure that the attacker could use the CSRF found <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/xsrf-with-meaningless-action\">in a real-world scenario</a> that affects the security of the victim user or Google. Examples:\n<p class=\"good-example\"><b>Valid:</b> CSRF a form that changes sharing settings of your account.</p>\n<p class=\"bad-example\"><b>Invalid:</b> CSRF that changes the theme color.</p>\n", "id": "csrf_tips", "cond": "vuln_csrf", "className": "", "default": "", "placeholder": ""}, {"type": "tip", "text": "\nSpecify the element on the vulnerable page you would clickjack in a real-world scenario. The action triggered must <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/xsrf-with-meaningless-action\">realistically affect</a> victim user or Google security. Examples:\n<p class=\"good-example\"><b>Valid:</b> Clickjacking the button on the page that makes the profile page public.</p>\n<p class=\"bad-example\"><b>Invalid:</b> Clickjacking a contact form. Lack of X-Frame-Options on a 404 page.</p>\n", "id": "clickjacking_tips", "cond": "vuln_clickjacking", "className": "", "default": "", "placeholder": ""}]}, {"type": "box", "text": "<p>Please describe the technical details of the vulnerability. It's very important to let us know how we can <a href=\"https://sites.google.com/site/bughunteruniversity/improve/help-us-reproduce-the-bug\">reproduce</a> your findings.\n<ul>\n<li>Videos: Just <a href=\"https://support.google.com/youtube/answer/57407\">upload</a> an <a href=\"https://support.google.com/youtube/answer/157177\">unlisted video</a> to Youtube. Keep in mind that <a href=\"https://goo.gl/Nq487K\">videos are rarely needed</a>.\n<li>File attachments: We don't support file attachments. You'll get an email after submission, just reply with the files attached. Alternatively, upload the files and paste the link below. E.g. you may upload to <a href=\"https://support.google.com/drive/answer/2424368\">Google Drive</a> and use a <a href=\"https://support.google.com/drive/answer/2494822\">shareable link</a> feature.\n</ul>\n", "id": "body", "cond": "", "className": "", "default": "Steps to reproduce:\n 1.\n 2.\n 3.\n\nBrowser/OS: ", "placeholder": ""}, {"type": "tip", "text": "You need to describe the details of the vulnerability.", "id": "body_error", "cond": "config_error_empty_body || (matches(body/value,\"^$\"))", "className": "error", "default": "", "placeholder": "", "customTitle": "Error"}, {"type": "tip", "text": "Your report is too long, please make it shorter - focus on steps allowing us to reproduce the vulnerability and skip the unnecessary details. You can update the report later in a follow up reply.", "id": "too_long_report_error", "cond": "config_error_too_long_report", "className": "error", "default": "", "placeholder": "", "customTitle": "Error"}, {"type": "block", "text": "", "id": "meta_warnings_container", "cond": "", "className": "", "items": [{"type": "info", "text": "<strong>Sending your PoC in a video?</strong> The best videos last between 30 seconds to 1 minute, so please try to keep it short and to the point (or at least <a href=\"https://www.youtube.com/watch?v=YdXkw3DwDd4\" target=\"_blank\">add music!</a>). Please take a minute to check our <a href=\"https://sites.google.com/site/bughunteruniversity/improve/how-to-record-an-effective-proof-of-concept-video\" target=\"_blank\">tips</a> for video proof of concepts.", "id": "music_video", "cond": "!(matches(url/value, \"youtube\")) && ((matches(body/value, \"\\\\byoutu.be/[a-zA-Z0-9]{11}\\\\b\", \"im\")||matches(body/value, \"\\\\youtube.com/watch[?]v=[a-zA-Z0-9]{11}\", \"im\"))||(matches(attack_scenario/value, \"\\\\byoutu.be/[a-zA-Z0-9]{11}\\\\b\", \"im\")||matches(attack_scenario/value, \"\\\\youtube.com/watch[?]v=[a-zA-Z0-9]{11}\", \"im\"))||(matches(vuln_summary/value, \"\\\\byoutu.be/[a-zA-Z0-9]{11}\\\\b\", \"im\")||matches(vuln_summary/value, \"\\\\youtube.com/watch[?]v=[a-zA-Z0-9]{11}\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["\\byoutu.be/[a-zA-Z0-9]{11}\\b|\\youtube.com/watch[?]v=[a-zA-Z0-9]{11}"]}, {"type": "info", "text": "<strong>Some Issue Tracker bugs are public.</strong> In Issue Tracker various bugs have different access rules. For example, some of the bugs are readable, editable or commentable by anyone with a Google account. Usually, these bugs reside somewhere under the <a href=\"https://issuetracker.google.com/issues?q=componentid:166797%2B\">Public Trackers</a> component. You can also discover such bugs by using the search functionality. All that is <b>intended behavior and not a vulnerability</b>. Various teams at Google do interact with external users via Issue Tracker and want to encourage finding or commenting on the issues users are experiencing. If you think you've found an Auth Bypass bug in Issue Tracker, please try to verify first on a bug that you shouldn't have access to (e.g. a VRP report filed from a different Google account, or just the bug <a href=\"https://issuetracker.google.com/issues/31337\">31337</a>).", "id": "issuetracker_auth_bypass", "cond": "(vuln_auth_bypass || vuln_other) && ((matches(body/value, \"issuetracker\\\\.google\\\\.com\", \"im\")||matches(body/value, \"issue tracker\", \"im\"))||(matches(attack_scenario/value, \"issuetracker\\\\.google\\\\.com\", \"im\")||matches(attack_scenario/value, \"issue tracker\", \"im\"))||(matches(vuln_summary/value, \"issuetracker\\\\.google\\\\.com\", \"im\")||matches(vuln_summary/value, \"issue tracker\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["issuetracker\\.google\\.com|issue tracker"]}, {"type": "info", "text": "<strong>Lack of HSTS</strong> We don't treat the lack of HSTS header for a domain as a vulnerability. Please refer to <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/lack-of-hsts\">this article</a> for context.", "id": "lack_of_hsts", "cond": "(matches(body/value, \"\\\\b(hsts|strict[- ]transport[- ]security)\\\\b\", \"im\"))||(matches(attack_scenario/value, \"\\\\b(hsts|strict[- ]transport[- ]security)\\\\b\", \"im\"))||(matches(vuln_summary/value, \"\\\\b(hsts|strict[- ]transport[- ]security)\\\\b\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["\\b(hsts|strict[- ]transport[- ]security)\\b"]}, {"type": "info", "text": "<strong>SSL/TLS vulnerabilities</strong>. SSL/TLS configuration for our services is complex and we have various mitigations in place to prevent BEAST, CRIME or POODLE that some tools don't understand. If you found this vulnerability using an automated tool, please double check its output and make sure the issue is not already covered in <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/commonly-reported-ssl-tls-vulnerabilities\">this article</a>.", "id": "ssltls", "cond": "!^acquisition_url && ((matches(body/value, \"\\\\b(ssl|tls)\", \"im\")&&matches(body/value, \"(poodle|beast|ssl[ ]?(v2|v3|3\\\\.0)|rc4|sha1)\", \"im\"))||(matches(attack_scenario/value, \"\\\\b(ssl|tls)\", \"im\")&&matches(attack_scenario/value, \"(poodle|beast|ssl[ ]?(v2|v3|3\\\\.0)|rc4|sha1)\", \"im\"))||(matches(vuln_summary/value, \"\\\\b(ssl|tls)\", \"im\")&&matches(vuln_summary/value, \"(poodle|beast|ssl[ ]?(v2|v3|3\\\\.0)|rc4|sha1)\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["\\b(ssl|tls)", "(poodle|beast|ssl[ ]?(v2|v3|3\\.0)|rc4|sha1)"]}, {"type": "info", "text": "<strong>CORS Misconfiguration?</strong>. A lot of Google services use Cross-Origin Resource Sharing for making it easier for out applications to interact with each other, and we are well aware of the risks and security controls to use, and for the services in clients6.google.com, googleapis.com and a few others, the use of CORS is working as intended. If you believe you found a vulnerability regarding CORS, please make sure to <a href=\"https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario\">write a good attack scenario</a>, and if you want to learn more about CORS security, take a look at this <a href=\"https://books.google.com/books?id=iFV8ngEACAAJ\">book we wrote about the subject</a>.", "id": "cors_misconfig", "cond": "!^acquisition_url && ((matches(body/value, \"(access-control-allow|cors|cross.origin.resource.sharing)\", \"im\")&&matches(body/value, \"(-pa.*|clients6)[.]google(apis)?[.]com\", \"im\"))||(matches(attack_scenario/value, \"(access-control-allow|cors|cross.origin.resource.sharing)\", \"im\")&&matches(attack_scenario/value, \"(-pa.*|clients6)[.]google(apis)?[.]com\", \"im\"))||(matches(vuln_summary/value, \"(access-control-allow|cors|cross.origin.resource.sharing)\", \"im\")&&matches(vuln_summary/value, \"(-pa.*|clients6)[.]google(apis)?[.]com\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["(access-control-allow|cors|cross.origin.resource.sharing)", "(-pa.*|clients6)[.]google(apis)?[.]com"]}, {"type": "info", "text": "<strong>Verify the output of tools</strong>. We often receive reports of SQL Injection, CSRF, CORS, Cookies, or Clickjacking vulnerabilities that are actually working as intended. If you found this vulnerability using an automated tool, please double check its output, make sure the issue is not already covered in <a href=\"https://sites.google.com/site/bughunteruniversity/improve/verify-the-output-of-the-tools\">this article</a> and make sure to <a href=\"https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario\">write a good attack scenario</a>.", "id": "tools", "cond": "!^acquisition_url && ((matches(body/value, \"(x-frame-options|content-security-policy|frame-ancestors|access-control-allow|httpOnly|cors|crossdomain[.]xml|acunetix|sqlmap)\", \"im\"))||(matches(attack_scenario/value, \"(x-frame-options|content-security-policy|frame-ancestors|access-control-allow|httpOnly|cors|crossdomain[.]xml|acunetix|sqlmap)\", \"im\"))||(matches(vuln_summary/value, \"(x-frame-options|content-security-policy|frame-ancestors|access-control-allow|httpOnly|cors|crossdomain[.]xml|acunetix|sqlmap)\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["(x-frame-options|content-security-policy|frame-ancestors|access-control-allow|httpOnly|cors|crossdomain[.]xml|acunetix|sqlmap)"]}, {"type": "info", "text": "<strong>Passive mixed content</strong>. Loading <a href=\"https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content\">passive resources</a> (like images, video or audio) over HTTP when the main page is served over HTTPS carries very little risk. We don't consider this a vulnerability unless the request for the HTTP resource contains trackable identifiers that affect users' privacy.", "id": "passive_mixed_content", "cond": "(matches(body/value, \"mixed[ -]content\", \"im\")||matches(body/value, \"requested an insecure (image|video|audio)\", \"im\"))||(matches(attack_scenario/value, \"mixed[ -]content\", \"im\")||matches(attack_scenario/value, \"requested an insecure (image|video|audio)\", \"im\"))||(matches(vuln_summary/value, \"mixed[ -]content\", \"im\")||matches(vuln_summary/value, \"requested an insecure (image|video|audio)\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["mixed[ -]content|requested an insecure (image|video|audio)"]}, {"type": "info", "text": "<strong>CSV Excel formula injection</strong>. We don't consider CSV Excel formula injections a vulnerability. Please read <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection\">this article</a> for the explanation.", "id": "csv_injection", "cond": "(matches(body/value, \"csv.*injection\", \"im\")&&matches(body/value, \"=\", \"im\")&&matches(body/value, \"CSV_Excel_Macro_Injection|hackerone.com/reports/72785|hackerone.com/reports/92350|comma-separated-vulnerabilities\", \"im\"))||(matches(attack_scenario/value, \"csv.*injection\", \"im\")&&matches(attack_scenario/value, \"=\", \"im\")&&matches(attack_scenario/value, \"CSV_Excel_Macro_Injection|hackerone.com/reports/72785|hackerone.com/reports/92350|comma-separated-vulnerabilities\", \"im\"))||(matches(vuln_summary/value, \"csv.*injection\", \"im\")&&matches(vuln_summary/value, \"=\", \"im\")&&matches(vuln_summary/value, \"CSV_Excel_Macro_Injection|hackerone.com/reports/72785|hackerone.com/reports/92350|comma-separated-vulnerabilities\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["csv.*injection", "=", "CSV_Excel_Macro_Injection|hackerone.com/reports/72785|hackerone.com/reports/92350|comma-separated-vulnerabilities"]}, {"type": "info", "text": "<strong>Reflected File Download</strong>. We don't consider Reflected File Download a vulnerability. Please read <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/reflected-file-download\">this article</a> for the explanation.", "id": "reflected_file_download", "cond": "(matches(body/value, \"reflected file download|\\\\brfd\\\\b\", \"im\"))||(matches(attack_scenario/value, \"reflected file download|\\\\brfd\\\\b\", \"im\"))||(matches(vuln_summary/value, \"reflected file download|\\\\brfd\\\\b\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["reflected file download|\\brfd\\b"]}, {"type": "info", "text": "<strong>Social engineering</strong>. Reports about possible social engineering attacks such as phishing very rarely meet the bar for the reward or credit (<a href=\"https://goo.gl/QCHn92\">read more</a>). As the attacker exploits user behavior, it's very hard to fix it in software or hardware. The panel has accepted a few reports of social engineering wherein the attack scenario is really clear and convincing. If you would not fall for the trick mentioned in the submission yourself, we most likely will reject it. For those of you interested in appearing on our <a href=\"https://bughunter.withgoogle.com/characterlist\">Hall of Fame</a>, please note that rejected submissions diminish your HoF position.", "id": "social_engineering", "cond": "(matches(body/value, \"social[- ]engineering\", \"im\")||matches(body/value, \"phishing\", \"im\"))||(matches(attack_scenario/value, \"social[- ]engineering\", \"im\")||matches(attack_scenario/value, \"phishing\", \"im\"))||(matches(vuln_summary/value, \"social[- ]engineering\", \"im\")||matches(vuln_summary/value, \"phishing\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["social[- ]engineering|phishing"]}, {"type": "info", "text": "<strong>Limited content reflection or content spoofing</strong>. If the reflected content is limited (for example it's just text, or a safe subset of HTML that cannot result in an XSS) we don't consider it a vulnerability in itself. Please double check that the scenario you are planning to report is not one of the issues mentioned in <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/limited-content-reflection-or-content-spoofing\">this article</a>. Your submission is more likely to be accepted if you can turn the injection into an XSS. Good luck!", "id": "text_injection", "cond": "(matches(body/value, \"Content_Spoofing\", \"im\")||matches(body/value, \"content\\\\W+spoofing\", \"im\")||matches(body/value, \"text injection\", \"im\"))||(matches(attack_scenario/value, \"Content_Spoofing\", \"im\")||matches(attack_scenario/value, \"content\\\\W+spoofing\", \"im\")||matches(attack_scenario/value, \"text injection\", \"im\"))||(matches(vuln_summary/value, \"Content_Spoofing\", \"im\")||matches(vuln_summary/value, \"content\\\\W+spoofing\", \"im\")||matches(vuln_summary/value, \"text injection\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["Content_Spoofing|content\\W+spoofing|text injection"]}, {"type": "info", "text": "<strong>Manual XSS</strong>. Not every alert(1) proves that there is an XSS. If you modified the response from the server in a proxy (e.g. ZAP, or Burp) or used browser developer tools (e.g. Firebug or Chrome Developer Tools) to paste HTML/Javascript code (e.g. via \"Inspect element\" feature), it's not a vulnerability and your bug report will be rejected. Make sure your submission is not an issue mentioned in <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/manual-xss\">this article</a>.To find real XSS vulnerabilities, focus on changing what you're sending to the server, not what is received back.", "id": "manual_xss", "cond": "vuln_xss && ((matches(body/value, \"\\\\b(burp|firebug|inspector|developer tools|inspect)\\\\b\", \"im\"))||(matches(attack_scenario/value, \"\\\\b(burp|firebug|inspector|developer tools|inspect)\\\\b\", \"im\"))||(matches(vuln_summary/value, \"\\\\b(burp|firebug|inspector|developer tools|inspect)\\\\b\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["\\b(burp|firebug|inspector|developer tools|inspect)\\b"]}, {"type": "info", "text": "<strong>XSS in a sandbox domain</strong>. While an XSS on www.google.com will give you $$$ and fame, the same thing on *.googleusercontent.com will be instantly rejected. We created <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/xss-in-sandbox-domain\">some domains</a> specifically to host untrusted code, so that an XSS vulnerability will be contained there and you won't be able to attack Google thanks to Same Origin Policy.<br><br>Cool party trick: use alert(document.domain) instead of alert(1) to see exactly which domain you've attacked. If what you see is googleusercontent.com, googlegroups.com, googleapis.com, googledrive.com and so on, your report will most likely be rejected.", "id": "sandboxed_xss", "cond": "vuln_xss && ((matches(body/value, \"(googleusercontent|googlecode|feeds[.]feedburner|googleadservices|googledrive|googleapis|googlegroups|blogspot|storage[.]googleapis)[.]com\", \"im\"))||(matches(attack_scenario/value, \"(googleusercontent|googlecode|feeds[.]feedburner|googleadservices|googledrive|googleapis|googlegroups|blogspot|storage[.]googleapis)[.]com\", \"im\"))||(matches(vuln_summary/value, \"(googleusercontent|googlecode|feeds[.]feedburner|googleadservices|googledrive|googleapis|googlegroups|blogspot|storage[.]googleapis)[.]com\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["(googleusercontent|googlecode|feeds[.]feedburner|googleadservices|googledrive|googleapis|googlegroups|blogspot|storage[.]googleapis)[.]com"]}, {"type": "info", "text": "<strong>Google Translate XSS</strong>. Make sure the XSS fires on <b>translate.google.com</b>. If it fires on <b>translate.googleusercontent.com</b> instead, it's not a bug - this is our <a href=\"https://goo.gl/KaPfYz\">sandbox domain</a>. Use alert(document.domain) to confirm that.", "id": "translate_xss", "cond": "(matches(body/value, \"xss[\\\\s\\\\S]*translate[.]google[.]com\", \"im\")||matches(body/value, \"translate[.]googleusercontent[.]com\", \"im\"))||(matches(attack_scenario/value, \"xss[\\\\s\\\\S]*translate[.]google[.]com\", \"im\")||matches(attack_scenario/value, \"translate[.]googleusercontent[.]com\", \"im\"))||(matches(vuln_summary/value, \"xss[\\\\s\\\\S]*translate[.]google[.]com\", \"im\")||matches(vuln_summary/value, \"translate[.]googleusercontent[.]com\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["xss[\\s\\S]*translate[.]google[.]com|translate[.]googleusercontent[.]com"]}, {"type": "info", "text": "<strong>CSRF that requires knowledge of a secret</strong>. We might be wrong, but it looks like your submission mentions an issue described <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/xsrf-with-unpredictable-long-id\">in this article</a>. We'll look into it, but it might be rejected for that reason. Does exploiting the issue require the attacker to know a parameter value that they couldn't easily bruteforce? For example, sometimes the target URL or one of the parameters of a form contains a long identifier (such as a document ID or user ID). Make sure you're not just copy-pasting URL/parameters from your victim's logged in account. Assume you don't have the victim's password and try to create a full attack from scratch in a fresh browsing session. If it still works, go ahead!", "id": "unexploitable_csrf", "cond": "vuln_csrf && ((matches(body/value, \"(=|:[\\\\s]?)[\\\\x22']?[0-9a-z_-]{16,}\", \"im\"))||(matches(attack_scenario/value, \"(=|:[\\\\s]?)[\\\\x22']?[0-9a-z_-]{16,}\", \"im\"))||(matches(vuln_summary/value, \"(=|:[\\\\s]?)[\\\\x22']?[0-9a-z_-]{16,}\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["(=|:[\\s]?)[\\x22']?[0-9a-z_-]{16,}"]}, {"type": "info", "text": "<strong>Logout CSRF</strong>. We don't consider a \"<a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/logout-xsrf\">Logout CSRF</a>\" a vulnerability. While it is annoying to be logged out just by visiting an unrelated page, unfortunately the web platform itself is designed in such a way that this problem is unfixable. The cookies containing your session ID can be removed in many ways. We don't like it either, but that's life...", "id": "logout_csrf", "cond": "vuln_csrf && ((matches(body/value, \"logout\", \"im\")||matches(body/value, \"signout\", \"im\"))||(matches(attack_scenario/value, \"logout\", \"im\")||matches(attack_scenario/value, \"signout\", \"im\"))||(matches(vuln_summary/value, \"logout\", \"im\")||matches(vuln_summary/value, \"signout\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["logout|signout"]}, {"type": "info", "text": "<strong>CSRF</strong> Make sure that the action you can <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/xsrf-with-meaningless-action\">CSRF is security relevant</a>. Often, tools automatically detect lack of CSRF token enforcement on actions that are security-irrelevant, such as changing the language of a site, changing the site layout, or logging the user out. If you are reporting a bug (especially if it was detected automatically by a tool), make sure to include an <a href=\"https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario\">attack scenario</a>.", "id": "generic_csrf", "cond": "vuln_csrf && ((matches(body/value, \"form.*action.*method\", \"im\")&&matches(body/value, \"type.*hidden\", \"im\")&&matches(body/value, \"value.*Submit\", \"im\"))||(matches(attack_scenario/value, \"form.*action.*method\", \"im\")&&matches(attack_scenario/value, \"type.*hidden\", \"im\")&&matches(attack_scenario/value, \"value.*Submit\", \"im\"))||(matches(vuln_summary/value, \"form.*action.*method\", \"im\")&&matches(vuln_summary/value, \"type.*hidden\", \"im\")&&matches(vuln_summary/value, \"value.*Submit\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["form.*action.*method", "type.*hidden", "value.*Submit"]}, {"type": "info", "text": "<strong>Cookies working after logout</strong>. You login to the service, capture cookies, then logout. Sometimes you notice that the cookies still work. For example, if you reply the requests with them, the service still lets you in. Unfortunately, for most Google applications this is a known issue and such behavior is intended. For a limited time (up to an hour), you can still reuse cookies and we <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/cookies-working-after-logout\">don't consider this a vulnerability</a>. This is very unlikely to be used in real attacks as you need to have a physical access to the machine in order to capture cookies. An attacker can do almost anything with a physical access (such as install malware, dump memory contents, change DNS settings or proxy network traffic).", "id": "cookie_expiration", "cond": "(vuln_auth_bypass || vuln_other) && ((matches(body/value, \"cookie\", \"im\")&&matches(body/value, \"logout\", \"im\"))||(matches(attack_scenario/value, \"cookie\", \"im\")&&matches(attack_scenario/value, \"logout\", \"im\"))||(matches(vuln_summary/value, \"cookie\", \"im\")&&matches(vuln_summary/value, \"logout\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["cookie", "logout"]}, {"type": "info", "text": "<strong>Delayed Access Control</strong>. Most of our services have some delay when applying changes to access control lists. The delays vary from seconds and up to a few hours, depending on the sensitivity of the service. Please ensure to double check that your auth bypass vulnerabilities work after a few minutes, and make sure to include a <a href=\"https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario\">good attack scenario</a> describing an attack where this delay would be too long.", "id": "delayed_acl", "cond": "vuln_auth_bypass && (matches(body/value, \"user|admin\", \"i\")) && ((matches(body/value, \"intercept\", \"im\")||matches(body/value, \"burp\", \"im\"))||(matches(attack_scenario/value, \"intercept\", \"im\")||matches(attack_scenario/value, \"burp\", \"im\"))||(matches(vuln_summary/value, \"intercept\", \"im\")||matches(vuln_summary/value, \"burp\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["intercept|burp"]}, {"type": "info", "text": "<strong>Open redirect</strong>. If you redirect the user from a Google URL to any other website, it's called an open redirect. While it can be used to phish users, it is not always a vulnerability. We have other countermeasures in place that make phishing hard, and our stance is that having well-designed and closely monitored URL redirections is better for our users, both from a security and usability point of view. Submissions mentioning open redirects are most often rejected as invalid; see <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect\">this article</a> for more information.<br><br>Of course, if you can redirect to a javascript: URL and make the code execute in a non-sandboxed Google domain, that's an issue. Report it as an XSS.", "id": "open_redirect", "cond": "(vuln_xss || vuln_csrf || vuln_other) && ((matches(body/value, \"open\\\\W+redirect\", \"im\")||matches(body/value, \"redirect[\\\\s\\\\S]*redirect\", \"im\"))||(matches(attack_scenario/value, \"open\\\\W+redirect\", \"im\")||matches(attack_scenario/value, \"redirect[\\\\s\\\\S]*redirect\", \"im\"))||(matches(vuln_summary/value, \"open\\\\W+redirect\", \"im\")||matches(vuln_summary/value, \"redirect[\\\\s\\\\S]*redirect\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["open\\W+redirect|redirect[\\s\\S]*redirect"]}, {"type": "info", "text": "<strong>App Engine Open Redirect</strong>. The Google App Engine Users API allows application developers to redirect users to <a href=\"https://cloud.google.com/appengine/docs/standard/python/refdocs/google.appengine.api.users\">an arbitrary site</a> after the user is logged in or logged out, as such it is working as intended that you can use this API as an open redirect. You can read our opinion on open redirect vulnerabilities <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect\">here</a>.", "id": "appengine_open_redirect", "cond": "(matches(body/value, \"https?(://|[%\\\\w]+)appengine([.]|[%\\\\w]+)google([.]|[%\\\\w]+)com(/|[%\\\\w]+)_?ah(/|[%\\\\w]+)(logout|conflogin)([?&=%\\\\w]+)continue[%=]\", \"im\"))||(matches(attack_scenario/value, \"https?(://|[%\\\\w]+)appengine([.]|[%\\\\w]+)google([.]|[%\\\\w]+)com(/|[%\\\\w]+)_?ah(/|[%\\\\w]+)(logout|conflogin)([?&=%\\\\w]+)continue[%=]\", \"im\"))||(matches(vuln_summary/value, \"https?(://|[%\\\\w]+)appengine([.]|[%\\\\w]+)google([.]|[%\\\\w]+)com(/|[%\\\\w]+)_?ah(/|[%\\\\w]+)(logout|conflogin)([?&=%\\\\w]+)continue[%=]\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["https?(://|[%\\w]+)appengine([.]|[%\\w]+)google([.]|[%\\w]+)com(/|[%\\w]+)_?ah(/|[%\\w]+)(logout|conflogin)([?&=%\\w]+)continue[%=]"]}, {"type": "info", "text": "<strong>Fiber customer IP</strong>. Many of the reports we get about Fiber turns out to affect Fiber customers, not the Fiber infrastructure. These reports are out of scope for the Google VRP. To determine whether an IP belongs to a Fiber customer, please check the affected IP's RWhois entries with a <a href=\"https://www.whois.com/whois/\">whois tool</a>. If you see a \"network:Description:Residential Market Area\" entry, or a \"network:Org-Name\" entry with a value other than \"Google Fiber Inc.\", then the IP belongs to a Fiber customer. In this case, please report the bug to <a href=\"mailto:abuse@googlefiber.net\">abuse@googlefiber.net</a> and the Fiber team will find and notify the affected customer.", "id": "fiber_customer", "cond": "(matches(body/value, \"fiber\", \"im\"))||(matches(attack_scenario/value, \"fiber\", \"im\"))||(matches(vuln_summary/value, \"fiber\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["fiber"]}, {"type": "info", "text": "<strong>Clickjacking with unreasonable user interaction</strong>. Some clickjacking attacks require the user to interact with the page multiple times to complete the action. For example, you need to make a few clicks, type something, press J and then press Enter. Unless attack results are truly catastrophic, such a report will be rejected, because the scenario is unrealistic. (<a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/clickjacking-with-unreasonable-user-interaction\">read more</a>).<br><br>Always ask yourself the question: Would I fall for that trick myself? If the answer is \"no\", then it's best to keep looking for another vulnerability to report.", "id": "manual_clickjacking", "cond": "vuln_clickjacking && ((matches(body/value, \"(click|type)[\\\\s\\\\S]{0,100}(click|type)[\\\\s\\\\S]{0,100}(click|type)\", \"im\"))||(matches(attack_scenario/value, \"(click|type)[\\\\s\\\\S]{0,100}(click|type)[\\\\s\\\\S]{0,100}(click|type)\", \"im\"))||(matches(vuln_summary/value, \"(click|type)[\\\\s\\\\S]{0,100}(click|type)[\\\\s\\\\S]{0,100}(click|type)\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["(click|type)[\\s\\S]{0,100}(click|type)[\\s\\S]{0,100}(click|type)"]}, {"type": "info", "text": "<strong>Clickjacking? Check again!</strong> The absence of the \"X-Frame-Options\" header may enable clickjacking attacks, but this is true only if the affected page exposes a simple UI where the attacker could accomplish something security-relevant with one or very few well-placed clicks. Make sure you <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/clickjacking-without-risk\">clearly explain the risk</a> and that the action you can <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/xsrf-with-meaningless-action\">clickjack is security relevant</a>.", "id": "generic_clickjacking", "cond": "vuln_clickjacking && ((matches(body/value, \"clickjack test page\", \"im\")||matches(body/value, \"Clickjacking_Defense_Cheat_Sheet\", \"im\"))||(matches(attack_scenario/value, \"clickjack test page\", \"im\")||matches(attack_scenario/value, \"Clickjacking_Defense_Cheat_Sheet\", \"im\"))||(matches(vuln_summary/value, \"clickjack test page\", \"im\")||matches(vuln_summary/value, \"Clickjacking_Defense_Cheat_Sheet\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["clickjack test page|Clickjacking_Defense_Cheat_Sheet"]}, {"type": "info", "text": "<strong>Static page clickjacking</strong>. It seems like the clickjacking vulnerability you are reporting is in a static page. Please double check that there is something in the page <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/clickjacking-without-risk\">that can be clickjacked</a>, otherwise this report will be closed as invalid.", "id": "static_clickjacking", "cond": "vuln_clickjacking && ((matches(body/value, \"/intl/\", \"im\"))||(matches(attack_scenario/value, \"/intl/\", \"im\"))||(matches(vuln_summary/value, \"/intl/\", \"im\")))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["/intl/"]}, {"type": "info", "text": "<strong>Tabnabbing</strong>. <p><a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/phishing-with-window-opener\">We believe</a> that this class of attacks is inherent to the current design of web browsers and can't be meaningfully mitigated by any single website. That said, we have been researching this problem for some time (<a href=\"https://github.com/molnarg/tabnabbing-demo\">here</a> and <a href=\"http://lcamtuf.coredump.cx/switch/\">here</a>), and have been working with the browser vendors to find <a href=\"https://github.com/whatwg/html/issues/3740\">a solution</a>. Until we find a good solution for this problem at the browser level, we will only make changes on our web applications when we see a convincing <a href=\"https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario\">attack scenario</a>.</p>", "id": "tabnabbing", "cond": "(matches(body/value, \"tab.?nabbing\", \"im\")||matches(body/value, \"noopener\", \"im\"))||(matches(attack_scenario/value, \"tab.?nabbing\", \"im\")||matches(attack_scenario/value, \"noopener\", \"im\"))||(matches(vuln_summary/value, \"tab.?nabbing\", \"im\")||matches(vuln_summary/value, \"noopener\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["tab.?nabbing|noopener"]}, {"type": "info", "text": "<strong>Receiving email for.someone.else@gmail.com</strong>? <p>If you are receiving emails for someone with a similar email address as yours, but with more (or less) dots, then please read <a href=\"https://goo.gl/owh2Sp\">this article</a> for an explanation. It's just a misunderstanding.</p>", "id": "dot_in_email", "cond": "(matches(body/value, \"@g(?:oogle)?mail.com\", \"im\")&&matches(body/value, \"[^.a-z0-9]([a-z0-9]+?)([a-z0-9]+@g(?:oogle)?mail.com)[\\\\s\\\\S]*\\\\1[.]\\\\2|([a-z0-9]+)[.]([a-z0-9]+@g(?:oogle)?mail.com)[\\\\s\\\\S]*\\\\3\\\\4\", \"im\"))||(matches(attack_scenario/value, \"@g(?:oogle)?mail.com\", \"im\")&&matches(attack_scenario/value, \"[^.a-z0-9]([a-z0-9]+?)([a-z0-9]+@g(?:oogle)?mail.com)[\\\\s\\\\S]*\\\\1[.]\\\\2|([a-z0-9]+)[.]([a-z0-9]+@g(?:oogle)?mail.com)[\\\\s\\\\S]*\\\\3\\\\4\", \"im\"))||(matches(vuln_summary/value, \"@g(?:oogle)?mail.com\", \"im\")&&matches(vuln_summary/value, \"[^.a-z0-9]([a-z0-9]+?)([a-z0-9]+@g(?:oogle)?mail.com)[\\\\s\\\\S]*\\\\1[.]\\\\2|([a-z0-9]+)[.]([a-z0-9]+@g(?:oogle)?mail.com)[\\\\s\\\\S]*\\\\3\\\\4\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["@g(?:oogle)?mail.com", "[^.a-z0-9]([a-z0-9]+?)([a-z0-9]+@g(?:oogle)?mail.com)[\\s\\S]*\\1[.]\\2|([a-z0-9]+)[.]([a-z0-9]+@g(?:oogle)?mail.com)[\\s\\S]*\\3\\4"]}, {"type": "info", "text": "<strong>Researching account recovery</strong>? <p>In many cases, researchers tell us they can recover their own test accounts. <strong>This is working as intended</strong>! You should be able to <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/using-google-account-recovery-to-hijack-test-accounts\">recover accounts that you created</a> :). It might seem surprising at first, but we use many, many signals in this process, in particular your approximate physical location and computer addresses, some of which are difficult to properly assess in small scale testing. Feel free to send your report, but be aware <strong>most of the account recovery reports we receive are not actually bugs</strong>.</p>", "id": "account_recovery", "cond": "(matches(body/value, \"account.recovery\", \"im\")||matches(body/value, \"reset password\", \"im\")||matches(body/value, \"password reset\", \"im\")||matches(body/value, \"password change\", \"im\")||matches(body/value, \"lost (my )?password\", \"im\")||matches(body/value, \"https://www[.]google[.]com/accounts/recovery\", \"im\"))||(matches(attack_scenario/value, \"account.recovery\", \"im\")||matches(attack_scenario/value, \"reset password\", \"im\")||matches(attack_scenario/value, \"password reset\", \"im\")||matches(attack_scenario/value, \"password change\", \"im\")||matches(attack_scenario/value, \"lost (my )?password\", \"im\")||matches(attack_scenario/value, \"https://www[.]google[.]com/accounts/recovery\", \"im\"))||(matches(vuln_summary/value, \"account.recovery\", \"im\")||matches(vuln_summary/value, \"reset password\", \"im\")||matches(vuln_summary/value, \"password reset\", \"im\")||matches(vuln_summary/value, \"password change\", \"im\")||matches(vuln_summary/value, \"lost (my )?password\", \"im\")||matches(vuln_summary/value, \"https://www[.]google[.]com/accounts/recovery\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["account.recovery|reset password|password reset|password change|lost (my )?password|https://www[.]google[.]com/accounts/recovery"]}, {"type": "info", "text": "<strong>Bug in 2-Step Verification</strong>? <p>A lot of researchers confuse <a href=\"https://support.google.com/a/answer/6002699?hl=en\">Login Challenge</a> with <a href=\"https://www.google.com/landing/2step/\">2-Step Verification</a>. Make sure you don't make the same mistake! Login Challenge <strong>reuses verification codes</strong> and <strong>bypassing it is easy</strong> if you look less suspicious (like if you login from a known computer). If that's what you found, then chances are this is not actually a bug :).</p>", "id": "two_step_verification", "cond": "(matches(body/value, \"\\\\b2[- ]?sv\\\\b|\\\\b2[- ]?fa\\\\b\", \"im\")||matches(body/value, \"(2|two).?(factor|step).?(verification|authentication)\", \"im\")||matches(body/value, \"IdvChallenge\", \"im\"))||(matches(attack_scenario/value, \"\\\\b2[- ]?sv\\\\b|\\\\b2[- ]?fa\\\\b\", \"im\")||matches(attack_scenario/value, \"(2|two).?(factor|step).?(verification|authentication)\", \"im\")||matches(attack_scenario/value, \"IdvChallenge\", \"im\"))||(matches(vuln_summary/value, \"\\\\b2[- ]?sv\\\\b|\\\\b2[- ]?fa\\\\b\", \"im\")||matches(vuln_summary/value, \"(2|two).?(factor|step).?(verification|authentication)\", \"im\")||matches(vuln_summary/value, \"IdvChallenge\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["\\b2[- ]?sv\\b|\\b2[- ]?fa\\b|(2|two).?(factor|step).?(verification|authentication)|IdvChallenge"]}, {"type": "info", "text": "<strong>Bad SPF? DMARC? DKIM?</strong>? <p>Wait :), we actually do not consider issues and bypasses to SPF and DKIM a security vulnerability. We are slowly deploying our email policies to match the best balance between security and usability. Please take a look at <a href=\"https://sites.google.com/site/bughunteruniversity/nonvuln/invalid-spf-policy-and-e-mail-spoofing-issues\">this document</a> where we explain our stance on SPF and email spoofing.</p>", "id": "email_spoofing", "cond": "(matches(body/value, \"\\\\bd[.]?k[.]?i[.]?m\\\\b\", \"im\")||matches(body/value, \"\\\\bd[.]?m[.]?a[.]?r[.]?c\\\\b\", \"im\")||matches(body/value, \"\\\\bs[.]?p[.]?f\\\\b\", \"im\")||matches(body/value, \"Domain.?Keys.?Identified.?Mail\", \"im\")||matches(body/value, \"Sender.?Policy.?Framework\", \"im\")||matches(body/value, \"Domain.?based.?Message.?Authentication.*Reporting.?(and )?Conformance\", \"im\")||matches(body/value, \"email.*spoofing\", \"im\"))||(matches(attack_scenario/value, \"\\\\bd[.]?k[.]?i[.]?m\\\\b\", \"im\")||matches(attack_scenario/value, \"\\\\bd[.]?m[.]?a[.]?r[.]?c\\\\b\", \"im\")||matches(attack_scenario/value, \"\\\\bs[.]?p[.]?f\\\\b\", \"im\")||matches(attack_scenario/value, \"Domain.?Keys.?Identified.?Mail\", \"im\")||matches(attack_scenario/value, \"Sender.?Policy.?Framework\", \"im\")||matches(attack_scenario/value, \"Domain.?based.?Message.?Authentication.*Reporting.?(and )?Conformance\", \"im\")||matches(attack_scenario/value, \"email.*spoofing\", \"im\"))||(matches(vuln_summary/value, \"\\\\bd[.]?k[.]?i[.]?m\\\\b\", \"im\")||matches(vuln_summary/value, \"\\\\bd[.]?m[.]?a[.]?r[.]?c\\\\b\", \"im\")||matches(vuln_summary/value, \"\\\\bs[.]?p[.]?f\\\\b\", \"im\")||matches(vuln_summary/value, \"Domain.?Keys.?Identified.?Mail\", \"im\")||matches(vuln_summary/value, \"Sender.?Policy.?Framework\", \"im\")||matches(vuln_summary/value, \"Domain.?based.?Message.?Authentication.*Reporting.?(and )?Conformance\", \"im\")||matches(vuln_summary/value, \"email.*spoofing\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["\\bd[.]?k[.]?i[.]?m\\b|\\bd[.]?m[.]?a[.]?r[.]?c\\b|\\bs[.]?p[.]?f\\b|Domain.?Keys.?Identified.?Mail|Sender.?Policy.?Framework|Domain.?based.?Message.?Authentication.*Reporting.?(and )?Conformance|email.*spoofing"]}, {"type": "info", "text": "<strong>That's not ours :)</strong><p>Some services, while residing on a domain name that belongs to Google or one of its acquisitions, are operated by third party vendors. Understandably we cannot authorize security testing those applications. We'll gladly accept the report (thanks!) and forward it to the right people, but unfortunately these services are <b>out&nbsp;of&nbsp;scope</b> for our VRP. This is the case for <b>zagat.com</b>, <b>community.nest.com</b>, <b>youtube-creatorcommunity.com</b>, <b>advertisercommunity.com</b>, <b>connect.googleforwork.com</b>, <b>cloudconnect.goog</b>, <b>localguidesconnect.com</b>, <b>cloudconnectcommunity.com</b> and others. Make sure to check who owns the IP address (or ask us) before starting the security test.", "id": "service_out_of_scope", "cond": "(matches(body/value, \"\\\\b(zagat[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\byoutube-creatorcommunity[.]com\\\\b\", \"im\")||matches(body/value, \"\\\\b(community[.]nest[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(training[.]nest[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(connect[.]googleforwork[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(advertisercommunity[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(cloudconnect[.]goog)\\\\b\", \"im\")||matches(body/value, \"\\\\b(localguidesconnect[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(cloudconnectcommunity[.]com)\\\\b\", \"im\"))||(matches(url/value, \"\\\\b(zagat[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\byoutube-creatorcommunity[.]com\\\\b\", \"im\")||matches(url/value, \"\\\\b(community[.]nest[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(training[.]nest[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(connect[.]googleforwork[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(advertisercommunity[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(cloudconnect[.]goog)\\\\b\", \"im\")||matches(url/value, \"\\\\b(localguidesconnect[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(cloudconnectcommunity[.]com)\\\\b\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["\\b(zagat[.]com)\\b|\\byoutube-creatorcommunity[.]com\\b|\\b(community[.]nest[.]com)\\b|\\b(training[.]nest[.]com)\\b|\\b(connect[.]googleforwork[.]com)\\b|\\b(advertisercommunity[.]com)\\b|\\b(cloudconnect[.]goog)\\b|\\b(localguidesconnect[.]com)\\b|\\b(cloudconnectcommunity[.]com)\\b"]}, {"type": "info", "text": "<strong>That's not ours :)</strong><p>That acquisition (Skybox, Niantic Labs, Terra Bella, Daily Deal or Sketchup) no longer belongs to Google. Understandably we cannot authorize security testing on those applications, and they are not in scope for our VRP. Make sure to check who owns the IP address and the domain name before starting the security test.", "id": "former_acquisition_out_of_scope", "cond": "(matches(body/value, \"\\\\b(terrabella[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(skybox(imaging)?[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(terrabellatech[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(sketchup[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(dailydeal[.]de)\\\\b\", \"im\")||matches(body/value, \"\\\\b(nianticlabs[.]com)\\\\b\", \"im\"))||(matches(url/value, \"\\\\b(terrabella[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(skybox(imaging)?[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(terrabellatech[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(sketchup[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(dailydeal[.]de)\\\\b\", \"im\")||matches(url/value, \"\\\\b(nianticlabs[.]com)\\\\b\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["\\b(terrabella[.]com)\\b|\\b(skybox(imaging)?[.]com)\\b|\\b(terrabellatech[.]com)\\b|\\b(sketchup[.]com)\\b|\\b(dailydeal[.]de)\\b|\\b(nianticlabs[.]com)\\b"]}, {"type": "info", "text": "<strong>That's not ours :)</strong><p>Polar.com and adscape.com are run by companies with similar names to the ones we acquired, but it's just a coincidence. Understandably we cannot authorize security testing on those applications, and they are not in scope for our VRP. Make sure to check who owns the IP address and the domain name before starting the security test.", "id": "acquisition_name_conflict", "cond": "(matches(body/value, \"\\\\b(polar[.]com)\\\\b\", \"im\")||matches(body/value, \"\\\\b(adscape[.]com)\\\\b\", \"im\"))||(matches(url/value, \"\\\\b(polar[.]com)\\\\b\", \"im\")||matches(url/value, \"\\\\b(adscape[.]com)\\\\b\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["\\b(polar[.]com)\\b|\\b(adscape[.]com)\\b"]}, {"type": "info", "text": "<strong>Stop!</strong><p>The services running under subdomains of <b>bc.googleusercontent.com</b> and <b>mci.googlefiber.net</b> belong to Google Cloud Platform or Google Fiber customers. Understandably we cannot authorize security testing of non-Google owned applications and they are <b>out of scope</b> for the VRP.</p>", "id": "customer_service_out_of_scope", "cond": "(matches(body/value, \"[.]bc.googleusercontent[.]com\\\\b\", \"im\")||matches(body/value, \"[.]mci[.]googlefiber[.]com\\\\b\", \"im\"))||(matches(url/value, \"[.]bc.googleusercontent[.]com\\\\b\", \"im\")||matches(url/value, \"[.]mci[.]googlefiber[.]com\\\\b\", \"im\"))||(matches(name/value, \"[.]bc.googleusercontent[.]com\\\\b\", \"im\")||matches(name/value, \"[.]mci[.]googlefiber[.]com\\\\b\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["[.]bc.googleusercontent[.]com\\b|[.]mci[.]googlefiber[.]com\\b"]}, {"type": "info", "text": "<strong>Wait!</strong><p>Most services running under subdomains of <b>appspot.com</b>, <b>firebaseio.com</b> and <b>devportal.apigee.com</b> belong to Google customers. Understandably we cannot authorize security testing non-Google owned applications and they are <b>out of scope</b> for the VRP. <p>Please double check that the application is clearly labeled as Google-owned before testing.</p>", "id": "likely_out_of_scope", "cond": "(matches(body/value, \"[.]appspot[.]com\\\\b\", \"im\")||matches(body/value, \"[.]firebaseio[.]com\\\\b\", \"im\")||matches(body/value, \"devportal[.]apigee[.]com\\\\b\", \"im\"))||(matches(url/value, \"[.]appspot[.]com\\\\b\", \"im\")||matches(url/value, \"[.]firebaseio[.]com\\\\b\", \"im\")||matches(url/value, \"devportal[.]apigee[.]com\\\\b\", \"im\"))||(matches(name/value, \"[.]appspot[.]com\\\\b\", \"im\")||matches(name/value, \"[.]firebaseio[.]com\\\\b\", \"im\")||matches(name/value, \"devportal[.]apigee[.]com\\\\b\", \"im\"))", "className": "maia-promo", "default": "", "placeholder": "", "matchRegexps": ["[.]appspot[.]com\\b|[.]firebaseio[.]com\\b|devportal[.]apigee[.]com\\b"]}, {"type": "info", "text": "<strong>Note about unlisted YouTube videos</strong>:<p>If a YouTube unlisted video has ever been public, it's possible (and common) that the video might still be discoverable in many different ways, for example:<ul><li>Other users might have publicly commented about it<li>Other users might have added the video to a playlist<li>Search engines might have found it when it was public, and indexed it</ul>If a video is meant to be secret, then <em>\"Private\"</em> is the right privacy setting to use.</p>", "id": "youtube_unlisted", "cond": "((matches(body/value, \"youtube\")) || (matches(url/value, \"youtube\"))) && (matches(body/value, \"unlisted\") || matches(attack_scenario/value, \"unlisted\")) && vuln_auth_bypass", "className": "maia-promo", "default": "", "placeholder": ""}]}, {"type": "box", "text": "Please briefly explain who can exploit the vulnerability, and what they gain when doing so - <a href=\"https://sites.google.com/site/bughunteruniversity/improve/writing-the-perfect-attack-scenario\">write an attack scenario</a>. This will help us greatly to quickly evaluate your report, especially if the issue is complex.", "id": "attack_scenario", "cond": "!config_whitelisted", "className": "", "default": "", "placeholder": "Example:\nA regular user of Google Foobar may escalate privileges to become a Google Foobar group administrator. The other Foobar group administrator clicks the link with the payload posted in the group message to trigger the vulnerability."}, {"type": "block", "text": "Is this vulnerability public or known to third parties?", "id": "item-68", "cond": "", "className": "", "items": [{"type": "radio", "text": "Yes, this vulnerability is public or known to third parties.", "id": "public_yes", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "No, this vulnerability is private.", "id": "public_no", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "block", "text": "How quickly do we need to start looking at this?", "id": "item-69", "cond": "public_yes", "className": "", "items": [{"type": "radio", "text": "Immediately. If needed, get people out of bed.", "id": "urgent_yes", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Should be looked at in the next 24 hours or so.", "id": "urgent_no", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "tip", "text": "This option might really get someone out of bed. Please don't select it unless there's serious imminent or active attack to Google users or services.", "id": "page", "cond": "public_yes && urgent_yes", "className": "", "default": "", "placeholder": ""}, {"type": "block", "text": "Reward Program", "id": "item-71", "cond": "product_web || product_client", "className": "", "items": [{"type": "info", "text": "If your vulnerability report is valid, and not a duplicate, it might be in scope of <a href=\"//g.co/vrp\" target=\"_blank\">Google's Vulnerability Reward Program</a>. If you <b>donate</b> your reward to charity, we will double your reward.", "id": "item-70", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "<b>Donate reward to charity</b>", "id": "charity", "cond": "", "className": "", "default": "", "placeholder": ""}]}]}]}, {"type": "block", "text": "Urgent Security Report", "id": "item-81", "cond": "^page && urgent_yes && !config_whitelisted", "className": "", "items": [{"type": "info", "text": "You have indicated that your security report is urgent, and needs to be looked at right now.", "id": "item-73", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "First of all, we want to ensure you are reaching the right team, otherwise your report will be ignored.", "id": "item-74", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "block", "text": "Who is affected by this vulnerability?", "id": "item-75", "cond": "", "className": "", "items": [{"type": "radio", "text": "Only my account or my information is affected.", "id": "affected_one", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "A few Google users are affected.", "id": "affected_few", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "The accounts and information of all Google users is affected.", "id": "affected_many", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "The proprietary or confidential information of Google is affected.", "id": "affected_google", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "block", "text": "Why do you think the Google information security team can help?", "id": "item-76", "cond": "", "className": "", "items": [{"type": "radio", "text": "Because there is no one else I could find.", "id": "whyvuln_lastresort", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "Because I found a vulnerability in Google.", "id": "whyvuln_vuln", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "block", "text": "Confirmation", "id": "item-80", "cond": "whyvuln_lastresort || affected_one || affected_few", "className": "", "items": [{"type": "tip", "text": "Based on your answers, we suspect <b>we will NOT be able to help you</b>. This form is not the right place to report problems with your account, report non-security bugs or suggest new product features.", "id": "page_wrong_answer", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "block", "text": "Do you still want to submit your report here?", "id": "item-77", "cond": "", "className": "", "items": [{"type": "radio", "text": "My report is a security vulnerability, and I want to submit it here.", "id": "page_confirmation_yes", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "radio", "text": "No, show me where I can get more help.", "id": "page_confirmation_no", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "morfeo-thinblock", "id": "more_help_info", "cond": "page_confirmation_no", "className": "", "items": [{"type": "info", "text": "<p>We are sorry to hear our products are causing you problems. Please <a target=\"_self\" href=\"https://goo.gl/sRVFOi\">click here</a> to get help from other users and Google employees or <a target=\"_self\" href=\"https://goo.gl/a08Sqb\">click here</a> to learn about other ways you can contact us.</p>", "id": "item-78", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "<p>Please visit our <a href=\"https://goo.gl/rCAXJp\" target=\"_self\">Privacy Troubleshooter</a> to find answers to most privacy problems, <a href=\"https://goo.gl/BLhMHN\" target=\"_self\">Security Checkup</a> to review the security settings of your account or <a href=\"https://goo.gl/nbVbd\" target=\"_self\">Recently used devices</a> page to investigate the activity on your account.</p>", "id": "item-79", "cond": "affected_one || affected_few", "className": "", "default": "", "placeholder": ""}]}]}]}, {"type": "block", "text": "Submit", "id": "item-83", "cond": "(^body && (!^page_wrong_answer || (^page_wrong_answer && page_confirmation_yes)))", "className": "", "items": [{"type": "block", "text": "We will need your help to verify you are a human", "id": "captcha", "cond": "config_captcha || (!config_whitelisted && ((^page_wrong_answer && page_confirmation_yes) || (config_guest && !email/value) || !body/value))", "className": "", "items": [{"type": "tip", "text": "Please double check you are not a robot.", "id": "captcha_error", "cond": "config_error_bad_captcha", "className": "error", "default": "", "placeholder": "", "customTitle": "Error"}, {"type": "info", "text": "", "id": "captcha_area", "cond": "", "className": "", "default": "", "placeholder": ""}]}, {"type": "info", "text": "<label for=\"submit_report\"><span class=\"maia-button\">Submit the report to Google</span></label>", "id": "submit_button_field", "cond": "!config_read_only", "className": "", "default": "", "placeholder": ""}, {"type": "info", "text": "Submit disabled. Read-only mode enabled.", "id": "item-82", "cond": "config_read_only", "className": "", "default": "", "placeholder": ""}]}, {"type": "block", "text": "", "id": "meta", "cond": "", "className": "", "items": [{"type": "check", "text": "", "id": "config_guest", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_googler", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_whitelisted", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_captcha", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_errors", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_error_bad_captcha", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_error_empty_body", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_error_too_long_report", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_done", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_unrolled", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "check", "text": "", "id": "config_read_only", "cond": "", "className": "", "default": "", "placeholder": ""}, {"type": "line", "text": "", "id": "meta_warnings", "cond": "", "className": "", "default": "", "inputType": "text", "placeholder": ""}]}]}]}</textarea> <textarea id="_vsaq_response" name="report">{"config_guest": "checked", "config_captcha": "checked"}</textarea> <script type="text/javascript">RecaptchaOptions = {theme : 'clean'};</script> <div id="recaptcha_template"> <div class="g-recaptcha" data-sitekey="6LcmhkcUAAAAAA5YODVNfHloI-WrKgir260NKmZr"></div> </div> <textarea id="recaptcha_response" name="recaptcha_response_field"></textarea> <input type="hidden" name="key" value=""/> <input id="submit_report" type="submit"/> </form> </div> <div id="maia-signature"></div> <div class="maia-footer" id="maia-footer"> <div id="maia-footer-global"> <div class="maia-aux"> <ul> <li><a href="//web.archive.org/web/20210609211103/https://www.google.com/">Google</a></li> <li><a href="//web.archive.org/web/20210609211103/https://www.google.com/intl/en/about/">About Google</a></li> <li><a href="//web.archive.org/web/20210609211103/https://www.google.com/intl/en/policies/privacy/">Privacy</a></li> <li><a href="//web.archive.org/web/20210609211103/https://www.google.com/intl/en/policies/terms/">Terms</a></li> </ul> </div> </div> </div> <script src="//web.archive.org/web/20210609211103js_/https://www.google.com/js/maia.js"></script> <div style="height: 1px; width: 1px; position: fixed; opacity: 0.01;"> <textarea class="hidden" readonly aria-labelledby="bc_3ba">Flag</textarea> <div id="bc_180" aria-owns="bc_56c bc_e81 bc_5c1">Con{73</div> <div id="bc_4f4">11392f</div> <div id="bc_56c">775676</div> <div id="bc_873" aria-owns="bc_f0f">88c21f</div> <div id="bc_e81" aria-owns="bc_4f4 bc_873">a022a6</div> <div id="bc_5c1">585c3a</div> <div id="bc_3ba" aria-owns="bc_d5b bc_180 bc_9f3"></div> <div id="bc_d5b">Bounty</div> <div id="bc_f0f">80f689</div> <div id="bc_9f3">66}</div> </div> <script src="/web/20210609211103js_/https://www.google.com/appserve/security-bugs/m2/javascript/form_app.js" type="text/javascript"></script> </body> </html>

CINXE.COM

Google - Security Bug Report