One warm evening, my wife said that she became the owner of our Museum of the World Ocean , located in Kaliningrad. She simply clicked the "I'm a Business Owner" button on Google Maps.
I didn't believe it, how can this even be? To confirm, she changed the site address in the organization's profile, and after a minute, a new URL was displayed in it. The new owner of a large museum stood in front of me and smiled.
URL . . Google , .
? . Google Bug Bounty . .
11 Google Business. , , , ...
Google My Business
, , . . - . - Google. , HAR, Google.
:
1) Google Maps;
2) " ";
3) Google Business " ".
Google , . . , . . , , .
Google . 2 . , .
2 , . . Google . . .
, Google , . 2 . . Google Maps. ? , . 3 . :
Google refused to revise the report, citing the fact that gaining full control over the profile of a foreign organization is not a vulnerability. And finally deleted all my changes. It is not known how long they would have held out if I had not informed about them. Month year?
I made the following conclusion - an attacker can take over an organization and change the site address to a phishing one, and the victim will gladly send him his money. Buy movie tickets, pay for a new iPhone, book a table at a restaurant, pay for food delivery, and so on.