XSS vulnerability found in Google Voice browser extension


Google Voice browser extension has XSS vulnerability that executes javascript and can give access to accounts.google.com and facebook.com.

Google Voice browser extension is a Chrome extension that helps you make calls and opens Google Voice with a click. The Google Voice extension 1. Lets you initiate calls by just typing any number or contact name, 2. Makes phone numbers on websites callable via Google Voice by just clicking on them. 3. If a phone number doesn’t turn into a link on any website (ex: Google Calendar), you can select the text with your mouse, and then click to call popup will automatically display (note: might not work with all numbers).

You can add Google Voice extension on your Google Chrome from here

A researcher named Missoum Sai found an XSS vulnerability that triggers javascript code to access accounts.google.com and Facebook accounts. The researcher is an active member of the Google Vulnerability Reward Program. The researcher said that the vulnerability was found accidentally after installing the Google Voice extension.

This universal DOM-based XSS was discovered accidentally, it is fortunate that the google ads’ customer ID is the same format as American phone number format. I opened Gmail to check my inbox and the following popped up

I rushed to report it to avoid dupe, without even checking what’s going on, as a Stored XSS in Gmail triggered by google ads rules as the picture shows, but the reality was something else.

Missoum said in his blog

What exactly happened after installing Google Voice extension?

According to Missoum, after installing the extension it triggers the javascript file that executed on his Gmail and FB account. After the execution of javascript, a popup appeared with a text ‘444-555-4455 <img src=x onerror=alert(1)>’.

What exactly happened after installing Google Voice extension?

[Image Source: Missoum blog]

What exactly happened after installing Google Voice extension?

[Image Source: Missoum blog]

Soon after getting the popup, Missoum extracted the source code of Google and found a Wg() function in contentscript.js which was responsible for the XSS. Below is the code where he found the DOM XPath-injection:

(var b = /(^|\s)((\+1\d{10})|((\+1[ \.])?\(?\d{3}\)?[ \-\.\/]{1,3}\d{3}[ \-\.]{1,2}\d{4}))(\s|$)/m, c = document.evaluate(‘.//text()[normalize-space(.) != “”]’, a, null, XPathResult.UNORDERED_NODE_SNAPSHOT_TYPE, null), d = 0; d < c.snapshotLength; d++) {
a = c.snapshotItem(d);

Missoum also posted the fix for the code in his blog which is below:

I believe the developer was going to execute variable ‘f’ that was holding the value of phone number for example ‘+12223334455’ on the sinks (innerHTML, insertBefore), instead for reason I couldn’t understand he executes variable ‘a’ which was holding the payload ex: ‘444-555-4455 <img src=x onerror=alert(1)>’ on the sinks, this XSS could be spared if he did not do so.

Missoum said

After reporting the flaw to Google Missoum was rewarded $3,133.7 (Rs. 2,36,000 approx). Well also look at how Vinoth Kumar hacked Facebook with XSS script and got $20000 from them.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments