Saturday, April 2, 2011

Google Security Vulnerability Reward Program: Google Adwords Billing poisoning

Google Adwords Google's Online Advertising service, boost website traffic and sales, was vulnerable to a persistent XSS in the Billing information.

What Had to be done?
The Billing information details was vulnerable to a persistent xss in 5 different fields.
The locations were:
Business name,
Contact name:
both Street Addresses, and City.
This attack was performed by editing the billing information with the right xss payload (no special bypass required).
This XSS is so persistent that it isn't possible even for the administrator to delete the poisoned billing information.

Screen shoot:

This issue has been fixed by Google security team.

I appreciate the opportunity to preserve my skills and gain some more experience
Thank you Google security team.


  1. Nice post on google surity concept.. loved it...

  2. Wonderful article, very useful and well explanation. Your post is extremely incredible. I will refer this to my candidates