A reflected XSS vulnerability was discovered on admin.google.com's ServiceNotAllowed page where the 'continue' parameter was not validated, allowing attackers to inject javascript: protocol URLs that execute when the page redirects, enabling account takeover and privilege escalation of Google Apps administrators.
DOM-based XSS vulnerability in Google Crisis Map discovered by bypassing client-side URL validation via request interception, then chained with missing X-Frame-Options header to enable clickjacking attacks on published maps. The vulnerability required users to click through an overlaid iframe to trigger JavaScript execution.
A researcher documents discovering multiple MIME sniffing-dependent XSS vulnerabilities at Google by exploiting improper Content-Type headers and missing X-Content-Type-Options: nosniff headers, earning thousands in bounties while exploring how browsers may interpret non-HTML content as executable code.