Writeups

• Miscellaneous

• XS-Search on Google Photos

• Office Editing for Docs, Sheets & Slides leak (Awarded $3133.70)

• NoScript part 2

• lyra.horse XSS

• UAC Spoof (Not Fixed)

• SOP bypass in Google Scholar PDF Reader (Fixed)

• Chromium infra

• idx.google.com XSS (Awarded $3133.70)

• Leaking the locations of the top Google VRP Bug hunters

• Android web attack surface

• Google Accounts/GAIA XSRF

• Google Issue Tracker leak (Fixed)

• Identify Tor user across browser restarts (Fixed)

• leet.cc account takeover (old bug)

• Google Extensions (Awarded $18833.7)

• Insecure sandbox on Colaboratory (Awarded $1337, Not Fixed)

• googlesource.com access_token leak (Awarded $7500)

• CCAI

• NoScript

• Proton part 2

• Google XSS

• PDF Page count leak (Awarded $500)

• SponsorBlock

• AutoFill UI spoof (Awarded $1000)

• Proton

• Android Crash and UI spoof (Not fixed)

• Download limit bypass (Fixed)

• Sandbox escape (Awarded $2500)

• XSS in native browser UI (Awarded $500)

• URL Spoof (Awarded $1000)

• Email storage leaking ticket-attachments (Awarded $5000)

• Performance API time travel on redirect (Fixed)

• Partitioned HTTP Cache Bypass (Not fixed)

• Cross-origin URL detection via "history.length" (Awarded $5000)

• Gmail XS-Search (Fixed)

• crossOriginIsolated bypass (Awarded $3000)

• Google Cloud Shell XSS (Awarded $5000)

RSS / Chromium / Credits / X / Discord / YouTube / Privacy / GitHub / Mastodon / ndev.tk

Improve this page default basic random dark inverted cmd.exe comic base64 Minecraft flip 🦆 rainbow text typoifier AI audio spoof NoScript