I still think $5,000 is ridiculously low. Lots of research like this fails and it happens you do the work just to be told someone already filled a similar bug before.

Pretty elaborate research indeed, I once filed a very simple, but just as dangerous, stored XSS on www.linkedin.com (with access to cookies) + some other bug, hoping to speedup my Partner API Request, got $400 for the XSS and many weeks later $400 for the other bug too (which took them 6+ months to fix). The $/time wasn't worth it, and of course the Partner API Request got declined without explanation.

It seems to be the market clearing price. Lots of companies think "hey, we offer peanuts and people do all this expensive work for us."

This guy did it to land a job. Hopefully he's done with spec-work like this and his new employer makes sure to negotiate rates ahead of time for security reviews.

Small bounties may not be extremely effective at getting expensive people to work for peanuts but they are very effective at destroying the underground economy where these bugs used to be shared, traded or sold.

Since there is no honor among thieves every buyer has to assume that any bug they buy will also be sold to other buyers. With even a moderate bug bounty in place it becomes a prisoners dilemma for all parties who know of the bug. The first person to disclose the bug captures the bounty and the remaining parties get shut out.

Since everyone in the market has to assume that everyone else is cheating the market collapses. Microsoft has a paper on the economic incentives of the underground economy that covers the topic nicely:

https://www.microsoft.com/en-us/research/publication/nobody-...

Fantastic analysis of a complex system. Congrats on the bounty! +1 for dropping that you're looking for work at the end, that's a great resume post.

Fantastic write-up. Scripting with Chrome's debug tools seems to be a promising way to find exploits among minified js.

Just wondering if anybody from Google asked you to apply for positions there after this?

@mar1, I've forwarded your interest in finding a job to our security recruiting lead. We don't have a relevant office in the desired location, but happy to discuss. Feel free to reach out, my email is dierks@google.com.

This is the reason why I love people at Google. They do listen! :-)

Very clever use of the Chrome debugger APIs.

We should connect, my company doesn't have anyone fully remote right now but maybe we could do in the near future...

Awesome find and write up. Wondering why you did not get the full $7500 for this

https://www.google.com/about/appsecurity/reward-program/inde...

How come accounts.google.com more severe than others for XSS ?

> How come accounts.google.com more severe than others for XSS ?

Because that's where the jewels are: "Control, protect, and secure your account, all in one place"

Well done and well explained. Great thing to share your thoughts in open-source as well. I wish you the best with your job research, companies like Advance or Octo would be great places for you in France, based on the skills you showed.

Do you always get the bounty ? Or do they sometimes fix the bug and ignore you ?

Very cool! I didn't know that chrome's debug tools were so powerful.

Could this type of vunerability be found using some clever fuzzer?

A lot of vulnerabilities like this are found with fuzzing. Same with poor encryption schemes. Depends what your definition of clever is but normally fuzzing is an intermediate research step to just see what response you get as you change input to ascertain information of what's going on behind the scenes so you can use a more directed attack later.

Nice work, Marin. Great detail on your methods and findings.