Awesome Google VRP Writeups
*writeups: not just writeups
Follow @gvrp_writeups on Twitter to get new writeups straigt into your feed!
Contributing:
If you know of any writeups/videos not listed in this repository, feel free to open a Pull Request.
To add a new writeup, simply add a new line to writeups.csv
:
[YYYY-MM-DD],[bounty],[title],[url],[author-name],[author-url],[type],false,?
If a value is not available, write ?
.
The value of type
can either be blog
or video
.
If any of the fields include a ,
, please wrap the value in quotes.
Please keep the last two fields set to false
and ?
. The automation will modify these fields.
If available, set author-url
to the author's Twitter URL, so the automation can @mention the author.
Writeups:
2023:
- [Feb 10 - $500] Information disclosure or GDPR breach? A Google tale…* by Luke Berner
- [Feb 07 - $0] Google Meet Flaw — Join Any Organisation Call (Not an 0day but still acts as 0day) — Refused by GoogleVRP* by Basavaraj Banakar
2022:
- [Dec 26 - $107,500] Turning Google smart speakers into wiretaps for $100k* by Matt Kunze
- [Nov 10 - $70,000] Accidental $70k Google Pixel Lock Screen Bypass* by David Schütz
- [Sep 16 - $???] Cloning internal Google repos for fun and… info?* by Luke Berner
- [Jun 09 - $???] How to download eBooks from Google Play Store without paying for them* by Yess
- [Apr 23 - $1,337] Launching a Supply Chain Counterattack Against Google and OpenSSF* by Alan Cao
- [Mar 25 - $0] Clipboard hazard with Google Sheets* by Imre Rad
- [Mar 19 - $10,000] System environment variables leak on Google Chrome - Microsoft Edge and Opera* by Maciej Pulikowski
- [Mar 08 - $???] Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities* by Unit 42
- [Feb 20 - $3,133.7] Send a Email and get kicked out of Google Groups - A Feature that almost broke Google Groups* by Sriram
- [Feb 06 - $2,674] Auth Bypass in Google Assistant* by David Schütz
- [Feb 06 - $1,337] Auth Bypass in com.google.android.googlequicksearchbox* by David Schütz
- [Feb 02 - $???] How I Was Able To Track You Around The Globe!* by Nikhil Kaushik
2021:
- [Dec 28 - $3,133.7] RCE in Google Cloud Dataflow* by Mike Brancato
- [Dec 25 - $???] How I Saved Christmas For Google!* by Nikhil Kaushik
- [Dec 21 - $5,000] Google Cloud Shell XSS* by NDevTK
- [Dec 05 - $6,267.4] SSRF vulnerability in AppSheet - Google VRP* by David Nechuta
- [Nov 17 - $10,401.1] Reacting to myself finding an SSRF vulnerability in Google Cloud* by David Schütz
- [Nov 11 - $1,337] GOOGLE VRP BUG BOUNTY: /etc/environment local variables exfiltrated on Linux Google Earth Pro desktop app* by Omar Espino
- [Oct 24 - $7,500] A 7500$ Google sites IDOR* by r0ckin
- [Oct 18 - $???] The Speckle Umbrella story — part 2* by Imre Rad
- [Oct 14 - $0] GOOGLE VRP N/A: Arbitrary local file read (macOS) via <a> tag and null byte (%00) in Google Earth Pro Desktop app* by Omar Espino
- [Oct 11 - $0] Hacking YouTube With MP4* by Florian Mathieu
- [Oct 08 - $25,401.1] 4 Weird Google VRP Bugs in 40 Minutes - Hacktivity 2021* by David Schütz
- [Sep 28 - $???] Google Extensible Service Proxy v1 - CWE-287 Improper Authentication* by Imre Rad
- [Sep 10 - $1,337] Bypassing GCP Org Policy with Custom Metadata* by Kat Traxler
- [Aug 24 - $???] The Nomulus rift* by Imre Rad
- [Aug 23 - $???] Hey Google ! - Delete my Data Properly — #GoogleVRP* by Sriram Kesavan
- [Jul 13 - $???] Unencrypted HTTP Links to Google Scholar in Search* by David Schütz
- [Jul 08 - $0] IDOR on clientauthconfig.googleapis.com* by David Schütz
- [Jun 25 - $???] Google Compute Engine (GCE) VM takeover via DHCP flood* by Imre Rad
- [Jun 16 - $???] Story of Google Hall of Fame and Private program bounty worth $$$$* by Basavaraj Banakar
- [Jun 13 - $3,133.7] Privilege escalation on https://dialogflow.cloud.google.com* by lalka
- [Jun 09 - $500] Author spoofing in Google Colaboratory* by Zohar Shacha
- [May 31 - $10,000] AppCache's forgotten tales* by Luan Herrera
- [May 17 - $???] Clickjacking in Nearby Devices Dashboard* by David Schütz
- [May 16 - $5,000] Auth Bypass in https://nearbydevices-pa.googleapis.com* by David Schütz
- [May 05 - $???] How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit* by Robert Grosse
- [Apr 29 - $???] De-anonymising Anonymous Animals in Google Workspace* by David Schütz
- [Apr 21 - $???] IDOR leads to how many likes that was hidden | Youtube* by R Ando
- [Apr 20 - $???] Auth Bypass in Google Workspace Real Time Collaboration* by David Schütz
- [Apr 13 - $1,337] Google Photos : Theft of Database & Arbitrary Files Android Vulnerability* by Rahul Kankrale
- [Apr 09 - $31,337] Explaining the exploit to $31,337 Google Cloud blind SSRF* by Bug Bounty Reports Explained
- [Apr 06 - $31,337] $31,337 Google Cloud blind SSRF + HANDS-ON labs* by Bug Bounty Reports Explained
- [Apr 05 - $6,000] I Built a TV That Plays All of Your Private YouTube Videos* by David Schütz
- [Apr 02 - $100] Play a game, get Subscribed to my channel - YouTube Clickjacking Bug* by Sriram Kesavan
- [Mar 22 - $5,000] File System Access API - vulnerabilities* by Maciej Pulikowski
- [Mar 21 - $???] How I made it to Google HOF?* by Sudhanshu Rajbhar
- [Mar 17 - $165,174] Hacking into Google's Network for $133,337* by LiveOverflow
- [Mar 11 - $3,133.7] How I Get Blind XSS At Google With Dork (First Bounty and HOF )* by Rio Mulyadi Pulungan
- [Mar 08 - $0] Google VRP N/A: SSRF Bypass with Quadzero in Google Cloud Monitoring* by Omar Espino
- [Mar 08 - $5,000] $5,000 YouTube IDOR* by Bug Bounty Reports Explained
- [Feb 28 - $???] Metadata service MITM allows root privilege escalation (EKS / GKE)* by Etienne Champetier
- [Feb 16 - $0] Dropping a shell in Google’s Cloud SQL (the speckle-umbrella story)* by Imre Rad
- [Jan 31 - $5,000] Hacking YouTube to watch private videos?* by Tech Raj
- [Jan 27 - $???] Hijacking Google Drive Files (documents, photo & video) through Google Docs Sharing* by santuySec
- [Jan 25 - $5,000] This YouTube Backend API Leaks Private Videos* by Hussein Nasser
- [Jan 18 - $1,337] The Embedded YouTube Player Told Me What You Were Watching (and more)* by David Schütz
- [Jan 11 - $5,000] Stealing Your Private YouTube Videos, One Frame at a Time* by David Schütz
- [Jan 08 - $3,133.7] Blind XSS in Google Analytics Admin Panel — $3133.70* by Ashish Dhone
2020:
- [Dec 30 - $???] Getting my first Google VRP trophies* by Imre Rad
- [Dec 27 - $???] Google VRP Hijacking Google Docs Screenshots* by Sreeram KL
- [Dec 22 - $0] SSTI in Google Maps* by Zohar Shacha
- [Dec 21 - $0] remote code execution when open a project in android studio that google refused to fix* by houjingyi
- [Dec 19 - $0] Google VRP – Sandboxed RCE as root on Apigee API proxies* by Omar Espino
- [Nov 12 - $31,337] 31k$ SSRF in Google Cloud Monitoring led to metadata exposure* by David Nechuta
- [Oct 27 - $6,337] The YouTube bug that allowed unlisted uploads to any channel* by Ryan Kovatch
- [Oct 26 - $0] Deciphering Google’s mysterious ‘batchexecute’ system* by Ryan Kovatch
- [Oct 15 - $???] CVE-2020-15157 "ContainerDrip" Write-up* by Brad Geesaman
- [Oct 08 - $30,000] The mass CSRFing of *.google.com/* products.* by Missoum Said
- [Oct 01 - $5,000] Google bug bounty: XSS to Cloud Shell instance takeover (RCE as root) - $5,000 USD* by Omar Espino
- [Sep 29 - $???] Public Bucket Allowed Access to Images on Upcoming Google Cloud Blog Posts* by Thomas Orlita
- [Sep 20 - $500] How I earned $500 from Google - Flaw in Authentication* by Hemant Patidar
- [Sep 08 - $10,000] XSS->Fix->Bypass: 10000$ bounty in Google Maps* by Zohar Shacha
- [Sep 07 - $1,337] My first bug in google and how i got CSRF token for victim account rather than bypass it* by Oday Alhalbe
- [Aug 26 - $???] Auth bypass: Leaking Google Cloud service accounts and projects* by Ezequiel Pereira
- [Aug 25 - $1,337] How I Tracked Your Mother: Tracking Waze drivers using UI elements* by Peter Gasper
- [Aug 22 - $???] The Short tale of two bugs on Google Cloud Product— Google VRP (Resolved)* by Sriram Kesavan
- [Aug 19 - $???] The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer* by Allison Husain
- [Aug 18 - $???] How to contact Google SRE: Dropping a shell in Cloud SQL* by Ezequiel Pereira
- [Aug 18 - $???] Three More Google Cloud Shell Bugs Explained* by David Dworken
- [Aug 17 - $???] Firebase Cloud Messaging Service Takeover: A small research that led to 30k$+ in bounties* by Abss
- [Aug 15 - $???] How I was able to send Authentic Emails as others - Google VRP (Resolved)* by Sriram Kesavan
- [Jul 31 - $4,133.7] Script Gadgets! Google Docs XSS Vulnerability Walkthrough* by LiveOverflow
- [Jul 28 - $1,337] Authorization bypass in Google’s ticketing system (Google-GUTS)* by Zohar Shacha
- [Jul 17 - $5,000] Idor in google product* by baluz
- [Jun 15 - $3,133.7] SMTP Injection in Gsuite* by Zohar Shacha
- [Jun 06 - $500] How i earned $500 from google by change one character .* by Oday Alhalbe
- [Jun 04 - $???] Privilege Escalation in Google Cloud Platform's OS Login* by Chris Moberly
- [May 21 - $31,337] RCE in Google Cloud Deployment Manager* by Ezequiel Pereira
- [May 10 - $???] Bypassing Firebase authorization to create custom goo.gl subdomains* by Thomas Orlita
- [May 08 - $4,133.7] Bypass XSS filter using HTML Escape* by Syahri Ramadan
- [May 07 - $3,133.7] DOM-Based XSS at accounts.google.com by Google Voice Extension* by Missoum Said
- [May 07 - $???] Google Acquisition XSS (Apigee)* by TnMch
- [May 03 - $???] DOM XSS in Gmail with a little help from Chrome* by Enguerran Gillier
- [Apr 30 - $6,267.4] Researching Polymorphic Images for XSS on Google Scholar* by Lorenzo Stella
- [Mar 27 - $3,133.7] $3133.7 Google Bug Bounty Writeup- XSS Vulnerability!* by Pethuraj M
- [Mar 11 - $100,000] $100k Hacking Prize - Security Bugs in Google Cloud Platform* by LiveOverflow
- [Mar 10 - $3,133.7] Cookie Tossing to RCE on Google Cloud JupyterLab* by s1r1us
- [Mar 08 - $6,000] The unexpected Google wide domain check bypass* by David Schütz
- [Mar 07 - $5,000] Google Ads Self-XSS & Html Injection $5000* by Syahri Ramadan
- [Jan 12 - $???] Information Disclosure Vulnerability in the Google Cloud Speech-to-Text API* by Dan Maas
2019:
- [Dec 30 - $3,133.7] How did I earn $3133.70 from Google Translator? (XSS)* by Beri Bey
- [Dec 19 - $???] SSRF in Google Cloud Platform StackDriver* by Ron Chan
- [Dec 16 - $???] 4 Google Cloud Shell bugs explained* by Wouter ter Maat
- [Dec 15 - $5,000] The File uploading CSRF in Google Cloud Shell Editor* by Obmi
- [Dec 15 - $5,000] The oauth token hijacking in Google Cloud Shell Editor* by Obmi
- [Dec 15 - $5,000] The XSS ( type II ) in Google Cloud Shell Editor* by Obmi
- [Dec 09 - $???] BlackAlps 2019: Google Bug Hunters* by Eduardo Vela Nava
- [Nov 29 - $1,337] Writeup for the 2019 Google Cloud Platform VRP Prize!* by Missoum Said
- [Nov 18 - $???] XSS in GMail’s AMP4Email via DOM Clobbering* by Michał Bentkowski
- [Oct 01 - $5,000] Google Paid Me to Talk About a Security Issue!* by LiveOverflow
- [Sep 09 - $???] Combination of techniques lead to DOM Based XSS in Google* by Sasi Levi
- [Aug 31 - $36,337] $36k Google App Engine RCE* by Ezequiel Pereira
- [Jul 20 - $13,337] Into the Borg – SSRF inside Google production network* by Enguerran Gillier
- [Jul 10 - $???] Gsuite Hangouts Chat 5k IDOR* by Cameron Vincent
- [May 21 - $13,337] Google Bug Bounty: LFI on Production Servers in “springboard.google.com” – $13,337 USD* by Omar Espino
- [Apr 27 - $0] Broken Access: Posting to Google private groups through any user in the group* by Elber Andre
- [Apr 23 - $???] Best Of Google VRP 2018 | nullcon Goa 2019* by Daniel Stelter-Gliese
- [Mar 31 - $???] XSS on Google Search - Sanitizing HTML in The Client?* by LiveOverflow
- [Mar 29 - $0] Inserting arbitrary files into anyone’s Google Earth Projects Archive* by Thomas Orlita
- [Mar 26 - $3,133.7] How I could have hijacked a victim’s YouTube notifications!* by Yash Sodha
- [Feb 12 - $???] Hacking YouTube for #fun and #profit* by Alexandru Coltuneac
- [Jan 31 - $???] LFI in Apigee portals* by Wouter ter Maat
- [Jan 30 - $7,500] $7.5k Google Cloud Platform organization issue* by Ezequiel Pereira
- [Jan 25 - $3,133.7] How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc)* by Luke Berner
- [Jan 18 - $10,000] $10k host header* by Ezequiel Pereira
2018:
- [Dec 12 - $???] XSSing Google Code-in thanks to improperly escaped JSON data* by Thomas Orlita
- [Dec 11 - $???] Clickjacking DOM XSS on Google.org* by Thomas Orlita
- [Dec 05 - $500] Billion Laugh Attack in https://sites.google.com* by Antonio Sanso
- [Nov 25 - $???] XSS in Google's Acquisition* by Abartan Dhakal
- [Nov 19 - $???] XS-Searching Google’s bug tracker to find out vulnerable source code* by Luan Herrera
- [Nov 14 - $58,837] Google Cloud Platform vulnerabilities - BugSWAT* by Ezequiel Pereira
- [Nov 11 - $7,500] Clickjacking on Google MyAccount Worth 7,500$* by Apapedulimu
- [Oct 04 - $???] GoogleMeetRoulette: Joining random meetings* by Martin Vigo
- [Sep 05 - $???] Reflected XSS in Google Code Jam* by Thomas Orlita
- [Aug 22 - $???] Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org* by Thomas Orlita
- [May 25 - $???] Waze remote vulnerabilities* by PanguTeam
- [Apr 06 - $5,000] Missing access control in Google play store* by Vishwaraj Bhattrai
- [Mar 31 - $5,000] $5k Service dependencies* by Ezequiel Pereira
- [Mar 28 - $???] Stored XSS on biz.waze.com* by Rojan Rijal
- [Mar 07 - $13,337] Stored XSS, and SSRF in Google using the Dataset Publishing Language* by Craig Arendt
- [Feb 24 - $13,337] Bypassing Google’s authentication to access their Internal Admin panels* by Vishnu Prasad P G
- [Feb 19 - $???] Google bugs stories and the shiny pixelbook* by Missoum Said
- [Feb 14 - $7,500] $7.5k Google services mix-up* by Ezequiel Pereira
2017:
- [Oct 30 - $15,600] How I hacked Google’s bug tracking system itself for $15,600 in bounties* by Alex Birsan
- [Jun 21 - $???] nullcon Goa 2017 - Great Bugs In Google VRP In 2016* by Martin Straka and Karshan Sharma
- [Jun 08 - $???] RuhrSec 2017: Secrets of the Google Vulnerability Reward Program* by Krzysztof Kotowicz
- [Mar 09 - $5,000] How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)* by Marin Moulinier
- [Mar 01 - $???] Ok Google, Give Me All Your Internal DNS Information!* by Julien Ahrens
- [Feb 26 - $3,133.7] Exploiting Clickjacking Vulnerability To Steal User Cookies* by Jasminder Pal Singh
- [Jan 04 - $???] fastboot oem sha1sum* by Roee Hay
2016:
- [Nov 29 - $???] War Stories from Google’s Vulnerability Reward Program* by Gábor Molnár
- [Oct 09 - $6,000] How I got 6000$ from #Google (Google Cloudshell RCE)* by Pranav Venkat
- [Aug 26 - $500] $500 getClass* by Ezequiel Pereira
- [Feb 28 - $???] Stored, Reflected and DOM XSS in Google for Work Connect (GWC)* by Ashar Javed
2015:
- [Dec 08 - $???] Creative bug which result Stored XSS on m.youtube.com* by Sasi Levi
- [Oct 29 - $???] XSS in YouTube Gaming* by Ashar Javed
- [Jun 26 - $3,133.7] Youtube Editor XSS Vulnerability* by Jasminder Pal Singh
2014:
- [Oct 31 - $5,000] The 5000$ Google XSS* by Patrik Fehrenbach
- [Oct 26 - $1,337] Youtube XSS Vulnerability (Stored -> Self Executed)* by Jasminder Pal Singh
- [Aug 13 - $???] I hate you, so I pawn your Google Open Gallery* by Ahmad Ashraff
- [Jan 10 - $???] Again, from Nay to Yay in Google Vulnerability Reward Program!* by Ahmad Ashraff
2013:
- [Sep 15 - $3,133.7] XSRF and Cookie manipulation on google.com* by Michele Spagnuolo
- [Jul 08 - $???] Stored XSS in GMail* by Michele Spagnuolo
Unknown Date:
- [??? - $5,000] Google VRP : oAuth token stealing* by Harsh Jaiswal
- [??? - $???] Unauth meetings access* by Rojan Rijal
- [??? - $???] XSS vulnerability in Google Cloud Shell’s code editor through mini-browser endpoint* by Psi
- [??? - $???] Information leakage vulnerability in Google Cloud Shell’s proxy service* by Psi
- [??? - $???] XSS vulnerability in Google Cloud Shell’s code editor through SVG files* by Psi
- [??? - $???] CSWSH vulnerability in Google Cloud Shell’s code editor* by Psi
- [??? - $3,133.7] Open redirects that matter* by Tomasz Bojarski
- [??? - $???] Voice Squatting & Voice Masquerading Attack against Amazon Alexa and Google Home Actions* by ???
- [??? - $???] Blind XSS against a Googler* by Rojan Rijal
- [??? - $???] Multiple XSSs on hire.withgoogle.com* by Rojan Rijal
- [??? - $???] Auth Issues on hire.withgoogle.com* by Rojan Rijal
- [??? - $???] G Suite - Device Management XSS* by Rojan Rijal