Hacking Google Support: Leaking millions of customer records ($14k bounty)

Hacking Google Support: Leaking millions of customer records ($14k bounty) This is the story of how I found my first vulnerability in Google - a way to leak private customer data (including phone numbers) and agent information for all cases in Google's internal support systems. This vulnerability was responsibly disclosed to Google's Vulnerability Rewards Program , and has since been fixed. Last year I was taking a look at the Google Support website, which, like most support sites, has a live chat widget . These sorts of pages are always quite fascinating to look at from a security perspective, since they inevitably integrate with separate internal tools used by support agents. Security vulnerabilities are just nasty edge cases , and support systems are often rife with such edge cases. I was very curious how this live chat worked under the hood, so of course I popped open DevTools to see for myself. It's always fun to see how things work. This chat widget was particularly interesting as it was hosted in an embedded