Found a Cross-site Scriping in Google Shopping Express Through It’s Wallet data.
Wikipedia: Google Shopping Express is a same-day shopping service (“shop local stores online and get items delivered on the same day”) from Google that was launched on a free trial basis in San Francisco and Silicon Valley in spring 2013 and publicly in September that year. In spring 2014 it was expanded to New York and Los Angeles, and in fall 2014 to Chicago, Boston, and Washington, DC.
The vulnerability lives in the “City” input, so.. replace the city address with this XSS vector
<img src=x onerror=prompt(1)>
Google Shopping Express Stored Cross-site Scriping
Watch in YouTube
Thanks to Google Security Team for the Google Hall Of Fame.