VULNERABILITY DETAILS
XSS: Chrome browser based vulnerability. Once after running the java script its able to give the alert box with gmail cookies if looged into gmail account.

i have reported it already but no update till now.
Report Details
-------------------
Email Subject: [8-8013000015913] XSS in None
Category: XSS
Product: None
Cid: 8-8013000015913 
date:	Fri, Jan 27, 2017 at 11:58 AM

VERSION
Chrome Version: Chrome Version 55.0.2883.87 m
Operating System: Windows 10 64 bit OS

REPRODUCTION CASE

1.Start your chrome
2.You can delete your old cookies(not necessary but to avoid confusions) 
3.Login with any google account
4.Open a new tab, in the address bar type "javascript:alert(document.cookie) or javascript:(document.domain)". 
5.It will display gmail cookie if you logged into gmail in other tab for document.cookie. For document.domain it will display www.google.com.
6.it all happens locally and any third party can steel cookie to hijack the account.

Attack scenario:
We can write a chrome extension to steel the cookies which leads session hijacking. And it may possible to get the key strokes, that's whatever we are typing in the page.

Regards,
Venkatesh
 

Deleted: POC for XSS.docx 187 KB

POC for XSS.docx 187 KB Download