Writeups

• Google Issue Tracker leak (Fixed)

• Identify Tor user across browser restarts (Fixed)

• leet.cc account takeover (old bug)

• Google Extensions (Awarded $18833.7)

• Insecure sandbox on Colaboratory (Awarded $1337, Not Fixed)

• googlesource.com access_token leak (Awarded $7500)

• CCAI

• NoScript

• Proton part 2

• Google XSS

• PDF Page count leak (Awarded $500)

• SponsorBlock

• AutoFill UI spoof (Awarded $1000)

• Proton

• Android Crash and UI spoof (Not fixed)

• Download limit bypass (Fixed)

• Sandbox escape (Awarded $2500)

• XSS in native browser UI (Awarded $500)

• URL Spoof (Awarded $1000)

• Email storage leaking ticket-attachments (Awarded $5000)

• Performance API time travel on redirect. (Fixed)

• Partitioned HTTP Cache Bypass (Not fixed)

• Cross-origin URL disclosure via "history.length" (Awarded $5000)

• Gmail XS-Search (Fixed, I hope)

• crossOriginIsolated bypass (Awarded $3000)

• Google Cloud Shell XSS (Awarded $5000)

• Embed users content from Google Cloud Shell in remote iframes (Fixed)

Subscribe via RSS my Chromium issues can be found here report writeup issues here
This website may store Cookies and use Google Analytics, Opt-out via the Google Analytics Opt-out Add-on and contact me regarding data deletion.
The privacy policy for my browser extensions can be found here writeup credits can be found here

Unofficial Discord server for XS-Leaks enthusiasts

If you’re interested in discussing new, old, or existing XS-Leaks, or simply staying up to date with the community, consider joining the unofficial Discord server maintained by contributors.