DEFTCODE( 2 )

GPG - 2048R/6D378CAF

Disclosure: Stored XSS in Google Shopping Express

Description

Found a Cross-site Scriping in Google Shopping Express Through It’s Wallet data.

Wikipedia: Google Shopping Express is a same-day shopping service (“shop local stores online and get items delivered on the same day”) from Google that was launched on a free trial basis in San Francisco and Silicon Valley in spring 2013 and publicly in September that year. In spring 2014 it was expanded to New York and Los Angeles, and in fall 2014 to Chicago, Boston, and Washington, DC.

Proof of Concept of Stored XSS:

Example demostration screen

Google Shopping Express Stored Cross-site Scriping

Google Shopping Express Stored XSS

Example demostration’s video

Watch in YouTube

Disclosure:

Acknowledgement

Google Security Team - Reward

Thanks to Google Security Team for the Google Hall Of Fame.