HTML injection is a type of injection vulnerability that occurs when a user is controlling an input point and can inject arbitrary HTML code into a vulnerable web page.
It was possible to inject <a> tag along with Punycode domain and creating the phishing comment thus used by an attacker to attack any person by making the image public.

The Photo sharing allows comment and photo upload with heart emoticon on the https://photos.google.com/direct/AFxxxxxDqUPppXXXXXXXXXXXrAXXXXXXX. While commenting, it is possible to inject any URL with arbitrary text and it behaves as a hyperlink in the comment. The HTML <a> element (or anchor element), with its href attribute, creates a hyperlink to web pages, files, email addresses, locations on the same page, or anything else a URL can address.
In the Firefox browser, Using this arbitrary content injection along with injecting Punycode URL makes it more impactful.

An attacker can share images/videos with multiple people or it is also possible to create a shareable link. Thus making it available to the public.

This injected text content in the comment can be used to redirect a user to a malicious website by an attacker. There is no warning present due to which it is feasible to phishing attacks. Direct injection of the Punycode domain was not possible as it leads to the removal of the URL completely.

It was possible to bypass the restriction and insert Punycode URL by URL encoding the value.

Also in Firefox, IDN_show_punycode is disabled by default. Which makes it more vulnerable to URL redirection and phishing websites via homograph attack. When a user is clicking there is no warning message that the user will be redirected to the attacker’s (Punycode) domain.

Payload:

<a href=”https://www.аррӏе.com”>iPhone Black Friday sale</a>

1. Visit https://photos.google.com/
2. Select video/image in photos.google.com
3. Click on the share option then click on Send in Google Photos.
4. Enter the name of the user whom you want to share. Also, it is possible to generate a shareable link for viewing.
5. A public link will be similar to: https://photos.app.goo.gl/ophzhxxxxxxxxxx9
6. Click on say something and enter the comment. Add URL in the comment like https://google.com or https://www.аррӏе.com (This is the Punycode domain).
7. Intercept the request via Burpsuite and tamper the value of the URL added. Add arbitrary text (<a> tag) along with any malicious URL, where the attacker wants to redirect.
8. In the case of Firefox. It is also possible to inject Punycode URL and inject the arbitrary text: Click on the comment to like and view more photos.

Request Body:f.req=[[[“HF8OLc”,”[[\”AF1Qip6767676767676767r_24-KRiu868NGwdddddddddddddddddddddddddddddddddddddA\”],[[[2,\”mypage\”,null,[\”https%3A%2F%2Fwww.%D0%B0%D1%80%D1%80%D3%8F%D0%B5.com\",\"https%3A%2F%2Fwww.%D0%B0%D1%80%D1%80%D3%8F%D0%B5.com\"]]]],\"ZS1CdDZ6dG8yTFBdddddddddddddYS\",null,null,[],null,\"`comment_0\",null,[[\"AF1QipNMmL5__WEl4ODcdOzFEjOeXQRw\",\"99999277788885631999999999995\"],\"https://lh3.googleusercontent.com/JcxcvcvcvbvvbbbbbbbbbbbbbbbbbbbbbwMT-J3vWAycxxxxxxxxxxxxxxxxxxxxxxxxxxx1H-XZU2A\",null,[\"Demo+App\",1,\"male\",\"justmorpheus\"],[null,null,[]],1,\"\",\"\",[],[],null,[\"https://lh3.googleusercontent.com/a/AATXAJxUjjEGFNSdcXVQ_Y5hhhcZ32-b9L7TZw-SeY4\"],2]]",null,"generic"]]]&at=AP9999999999DfSxzVFVXTRacxcxcxcxcx:16979004365222&

8. Sent the request and check for 200 OK.

9. Reload the page and hover on the hyperlink created with arbitrary text.

10. In Firefox arbitrary text is shown as an original domain instead of Punycode and once the user clicks on the link. It can be redirected or phished.

Google marked the issue as Not-Applicable due to social engineering attack., which is not part of the scope.

Later it was fixed by Google :P.

Ciao, Until Next Time.