Vulnerabilities existed in Google Cloud, DevSite, and Google Play could have allowed attackers to achieve cross-site scripting attacks, opening the door to account hijacks. These discoveries made researcher to earn $3,133.70 for the DevSite issue and $5,000 for the vulnerability in Google Play.
Due to a vulnerability in the server-side implementation of <devsite-language-selector> part of the URL was reflected as html, so it was possible to get XSS on the origins using that component from the 404 page.
Getting an error was simple as doing /?search=& and because window.location includes the hash which never encodes ‘ it’s possible to escape the href context and set other html attributes. Unlike the DevSite XSS this is prevented by the CSP but was still awarded more by the panel.