A critical vulnerability has been uncovered in Google that could allow an attacker to access the internal files of Google’s production servers. The vulnerability resides in the Toolbar Button Gallery, which allows users to customize their toolbars with new buttons. The researchers crafted their own button containing fishy XML entities. By sending it, they gain access to internal files stored in Google’s servers and managed to read the “/etc/passwd” and the /etc/hosts” files from the server. By exploiting the same vulnerability the researchers said they could have access any other file on their server, or could have gained access to their internal systems.
Source: https://thehackernews.com/2014/04/hacking-google-server-XML-External-Entity.html