Google APIS ClickJacking ( $1337)

Myo Min Thu
Feb 5 · 2 min read

Hi everyone,

Today i want to tell how i got $1337 from google bug bounty program.I find security vuln at many google subdomain,But i does not found any vuln.

I try to search using google dork for open redirect.In this case i don’t know that google does not pay for open redirect ( note . If you want to find vuln,you need to read program rule first).

I use this google dork

site:*.google.com inurl:href=http

I found some url. I try to embbed all url in iframe because i see one clickjacking writeup in facebook.

<iframe width=500 height=500 src="https://apis.google.com/_/widget/render/page?usegapi=1&href=https://plus.google.com/[here google plus id ]"></iframe>

But i got 404 error page.I does not know what to make to get webpage’s ui.I reflesh the webpage.Boom!! got google plus profile page.

I am so happy

The reason for the 404 is that the whole UI is going down (planned shutdown of Google+ - https://www.blog.google/technology/safety-security/expediting-changes-google-plus/ ).

I report to google and google vrp accepted my report.They pay me $1337.

Google HOF : https://bughunter.withgoogle.com/profile/40b3c633-09ea-476e-b09f-ec00237029c3

    Myo Min Thu

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade