Google Assistant Bug Worth $3133.7 !

Circle Ninja
Jul 21, 2018 · 2 min read

Hi hackers! Long time no see..


Actions Google XSS

You may well be aware of Google Assistant . This is a writeup of reflected XSS which I found in console.actions.google.com .

My college Prof. asked me to conduct some useful workshop for students. After a quick search, I figured out on the workshop as “Making apps using Google Assistant”. The documentation provided was very easy to follow and so it would have been easily grasped by learners. So I was making a test app using Assistant Web Console.

I was very lucky to find the XSS as just after one week, Google started to extensively market Assistant via major youtube channels. :P

I will directly go the bug i.e XSS.

There were many options and inputs like App name, link ,description etc.

New Assistant Console|XSS was in Old

I started saving some payloads on each field. I soon realized that no tags were filtered <> etc. But the XSS never popped. :(

After some time, I used data uri and base 64 encoding to create XSS . Clicking on the link got XSS.

The payload-

“><a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=”>click</a>


By the way the workshop was a success by God’s grace! And true was someone who said help others, you will get your reward in unexpected ways.

You are always welcome to contribute in this not for profit publication. Please DM me on Twitter.

Circle Ninja

Written by

Wannabe Security JCB | BTech CSE Student from India

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Circle Ninja

Written by

Wannabe Security JCB | BTech CSE Student from India

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store