Security bug allows hackers to access an internal network of Google

Google bug

A young Czech bug hunter has identified a security flaw in one of the backend Google apps. Used by a malicious threats player, the bug would have allowed hackers to steal the cookies of Google employees for internal apps and hijack accounts, start very persuasive lift attempts, and possibly gain access to other parts of the internal Google network.

This attack vector was discovered in February this year by security researcher Thomas Orlita and was patched in mid-April, but now only publicly available.


The security fault is impacted by the Google Invoice Submission Portal, a public website on which Google redirects business partners to provide the contractual agreement based invoices.

Described as a vulnerability to cross-site scripting (XSS).

Most XSS flaws are considered benign, but rare cases may lead to serious consequences for these kinds of vulnerabilities.

One of those cases was the discovery of Orlita. The researcher said a malicious actor could upload malformed files via the Upload Invoice field on the Google Invoice Submission Portal.

Using a proxy, the attacker could have intercepted and modified the documents from PDF to HTML, to XSS maliciously payload immediately after the form submission and validation operation took place.

The data would end up being stored in the billing backend of Google and would automatically be executed when an employee tried to view it.

“Since XSS was run on a subdomain while employees are logged in, an attacker should be in a position to access the Dashboard in the subdomain where the invoices can be viewed and managed,” Orlita said to ZDNet by email.

Any other internal applications on this domain may be accessible, depending on whether cookies are configured on,’ added the investigator.

As most internal Google applications are hosted on, this opens the door to a wide range of possibilities for attackers.

In all things, however, this bug, as with most XSS security bugs, would have depended on the ability of a threat-actor to pivot more complex attacks.

“The seriousness of the impact depends, of course, on how well it can be used to access its internal sites,” “For example, an attacker could try to attack an employee phishing.” The official Orlita vulnerability disclosure is the place for more technical details about the XSS bug.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.