Yasin Soliman

Yasin Soliman

I'm Yasin, a security analyst from the UK, interested in web application testing and red team operations.

Yasin Soliman



Managed Apps and Music: a tale of two XSSes in Google Play

Yasin SolimanYasin Soliman

I've been working hard on Google's Vulnerability Reward Program over the past few weeks, partly inspired by an enjoyable experience with Capture The Flag. After hinting at a VRP writeup release back in June, I'm excited to share a pair of XSS bugs on Google Play (one of Google's Category Two "Highly Sensitive" web properties).    

The benefits of research

A quick foreword: operating across a variety of disciplines, I often peruse The Keyword to keep on top of new features and early access opportunities. Focused research (combining the resources below with open-source intel) is also a valuable way to maximise your in-scope bug hunting opportunities:

1. XSS by Interstitial Injection: Managed Apps

Managed Google Play is the app management platform and enterprise marketplace for Android [...] an admin can accept app permissions, approve apps for distribution on user devices, purchase apps in bulk, and more.

It was my first time on the site, and having pre-authenticated with a personal Google Account, I happened upon a Terms of Service interstitial. A continue parameter in the URL prompted me to look further than open redirection attacks, which in basic form are ineligible for VRP submission.

And so, by injecting a JavaScript URI, it was possible to achieve reflected XSS with a simple Proof of Concept tested in the latest stable Chrome build — which triggered after marking the checkbox and selecting "Accept."


Proof of Concept image from initial Managed Apps report

Supplementary examination

Analysing the pre-exploitation process for this bug led to a couple of interesting conclusions:

  1. The ToS can only be accepted once; this is a "one-shot" exploit
  2. The user must have access to the Managed Play Store

But, on that second point, how was I able to access the Managed Apps portal with my personal Google Account? In fact, there were two distinct sub-conditions in which a user could come into contact with the PoC:

  • Having access to an educational institution account with the Managed portal enabled (for instance, as a G Suite user or administrator)

  • Alternatively, by registering for Android Management Experience, a platform which allows users to "test enterprise features" by setting up an organisation with their personal Google account.

Having explored the Management Experience and set up an organisation previously, my account was cleared to click through the Terms and reproduce the bug.

2. XSS by Crafted URL with Persistence: Play Music

This bug featured a straightforward attack scenario and persistent effect. A Play Music member accesses the crafted listen URL (decoded PoC below), which injects a code payload in the user's Recent Searches history, leading to persistent XSS upon loading the app:

https://play.google.com/music/listen?u=0#/sr/'"><img src=x onerror=confirm(document.domain)>

Proof of Concept image from Play Music report taking place during preload

As noted in my report to the Security Team, the victim would invoke the malicious payload every time they accessed a page on Google Play Music — including the homepage — with no additional interaction required. Recent searches now are sanitised:

Resolution and sanitised output on Play Music


I would like to commend Eduardo, Maciej and the whole VRP Security Team for the superb bug handling and continued support.

Research timeline

The following timestamps are provided in GMT.

1. XSS by Interstitial Injection: Managed Apps

  • 2017-06-26 18:21 – bug reported
  • 2017-06-27 13:48 – triaged
  • 2017-06-28 14:42 – "nice catch!" (validated)

2. XSS by Crafted URL with Persistence: Play Music

  • 2017-07-01 18:51 – bug reported
  • 2017-07-03 11:22 – triaged
  • 2017-07-03 22:19 – "nice catch!" (validated)

Fix confirmation took place simultaneously at 2017-07-07 21:37.

Yasin Soliman

Yasin Soliman