Hackers get $ 10,000 for hacking Google

A team of security researchers, Detectify , discovered a serious vulnerability on the Google server.
The long-known XXE vulnerability (XML External Entry Processing) formed the basis for hacking.



This “hole” allows you to embed external entities, for example, to download individual parts of a file, however, if a hacker can embed an arbitrary section of code into the scheme, this can lead to serious consequences, for example, reading an arbitrary file on the server.
')
All the fault was one of the Google services, namely Toolbar Button Gallery. The researchers found that for the convenience of setting up a toolbar, loading an XML file with user settings is allowed. Having implemented a special section of the code in the file and uploading it to the server, the hackers obtained the necessary data, XXE worked.



Bezopasniki limited themselves to a demonstration of the vulnerability in the form of reading the files /etc/passwd and /etc/hosts , but this does not limit the possibilities of the vulnerability. For example, with the help of XXE, it was possible to achieve a denial of service, SSRF, and, with the right approach, the execution of arbitrary code on the target server. Under the reward program for the found vulnerabilities, Google has paid researchers a reward of $ 10,000.