Google Assistant Bug Worth $3133.7 !

Hi hackers! Long time no see..


Actions Google XSS

You may well be aware of Google Assistant . This is a writeup of reflected XSS which I found in console.actions.google.com .

My college Prof. asked me to conduct some useful workshop for students. After a quick search, I figured out on the workshop as “Making apps using Google Assistant”. The documentation provided was very easy to follow and so it would have been easily grasped by learners. So I was making a test app using Assistant Web Console.

I was very lucky to find the XSS as just after one week, Google started to extensively market Assistant via major youtube channels. :P

I will directly go the bug i.e XSS.

There were many options and inputs like App name, link ,description etc.

New Assistant Console|XSS was in Old

I started saving some payloads on each field. I soon realized that no tags were filtered <> etc. But the XSS never popped. :(

After some time, I used data uri and base 64 encoding to create XSS . Clicking on the link got XSS.

The payload-

“><a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTIik8L3NjcmlwdD4=”>click</a>

By the way the workshop was a success by God’s grace! And true was someone who said help others, you will get your reward in unexpected ways.

You are always welcome to contribute in this not for profit publication. Please DM me on Twitter.