It is very true that Bug Bounty Program that was earlier introduced by the Google and followed by other internet giants Facebook and Microsoft had really helped the organisation much better. With the scheme of giving reward for the unique security loop holes report had really helped the security researcher and a organisation too. This motivate the hackers/researcher to expand there knowledge and also making the existence of "Ethical" word in the Cyber Security field.
A Security researchers and Co-Founders of Detectify have discovered a critical security vulnerability in Google that allowed them to access Internal servers. As per the explanation on the vulnerability researcher stats that the vulnerability exist on the Google Toolbar button Gallery. Toolbar gallery page allows the users to customize their toolbar with buttons. The page also allows the users to create their own buttons by uploading the XML file.
This function leads the attackers to execute XML External Entity vulnerability by sending the own crafted XML file. After sending the crafted XML file, researcher is able to read the internal files stored in the Google product server. By exploiting this vulnerability further, researcher managed to read the "etc/passwd" and "etc/host files on the server.
Further more attacker can also do many task as like local file access, SSRF and Remote File includes, Denial of Service and possible Remote Code Execution. For this critical report Google rewarded researcher with $10,000.
This function leads the attackers to execute XML External Entity vulnerability by sending the own crafted XML file. After sending the crafted XML file, researcher is able to read the internal files stored in the Google product server. By exploiting this vulnerability further, researcher managed to read the "etc/passwd" and "etc/host files on the server.
Further more attacker can also do many task as like local file access, SSRF and Remote File includes, Denial of Service and possible Remote Code Execution. For this critical report Google rewarded researcher with $10,000.