Issue metadata
Sign in to add a comment
|
Security: Self-XSS on accounts.google.com
Reported by
indo.h4x...@gmail.com,
Sep 15
|
||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS When you open Google Chrome (Stable) and History is empty or has not opened accounts.google.com you get an e-mail (Inbox in mobile phone) or Whatsapp message or Facebook and etc message from a hacker but you don't know what hackers / undetected and told to open: https://accounts.google.com/signin/v2/identifier?continue=http://b.mail.google.com&hl=id&Email=open https://indonesia.go.id to get $1000&flowName=GlifWebSignIn&flowEntry=ServiceLogin#identifier after that you are switched to accounts.google.com the SELF XSS will appear in the form of a warning message such as: open https://indonesia.go.id to get $1000 check attachments name (self-xssgmail1.png) ;) and almost 10% -20% or more of Gmail users worldwide do not know this from hackers, they will open the site ex: indonesia.go.id what happens is certainly a lot of phishing, etc. VERSION Chrome Version: [68.0.3440.91] + [stable] Operating System: [Android 7.0.0] REPRODUCTION CASE Check Video https://drive.google.com/file/d/1sW6DmDZTZXIXShFHLkJj9KWzgRPsT0H3/view?usp=drivesdk and self-xssgmail2.txt Regards, e333jsjs7se
,
Sep 15
Update! also effected for Chrome version: [69.0.3497.91] + [stable] Regards, e333jsjs7se
,
Sep 17
I think this is working as intended, but either way this isn't an issue with Chrome. Vulnerabilities in Google web properties should be reported here: https://goo.gl/vulnz
,
Sep 18
Haha ok Thanks.
,
Dec 24
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by indo.h4x...@gmail.com
, Sep 15