Based on the payload the author describes, it does look like an XSS.
The server response probably injected the “continue” parameter into a <meta http-equiv=“refresh” content=”0: url=…” />. Google’s bug bounty team likely would have adjusted the reward downward if it was not an XSS.
document.domain returns the current domain used in the document because no redirect occurred. Similar to if you typed it in your address bar right now, it should show you the HN domain.
It's commonly used as a placeholder in an alert-box XSS PoC. Weaponising this into an actual exploit could have been a fetch(), css inclusion, or enumerating localstorage.
Is it? I'm not so familiar with the specifics of bug bounty programs, but it seems like this issue could cause much more than 3k in damages if it were to be exploited.
Similarly, I'm kind of shocked that Google is only offering 30k for discoveries of remote code execution vulnerabilities on their own servers. I don't mean to trivialize that amount of money, but compared to the scope of what that kind of vulnerability could be used for it seems insignificant. There's the potential for access to internal Google secrets and private data belonging to users. Would a government not pay 10-20x for something like that?
No it’s not! That is extremely low compared to say Apple, which doles out something like 50k for low severity bugs (source: they pretty much paid my college fees)
