Israel-based security researcher Zohar Shachar discovered the vulnerability in April 2019 and it was patched a few weeks later, but he only now disclosed his findings.
The flaw affected the Google Maps feature that allows users to create their own map. These maps can be exported in various formats, including Keyhole Markup Language (KML), a format that is used to display geographic data in Google Earth and other similar applications.
An analysis of the server response when exporting a map using KML revealed an XML response containing, among other things, a CDATA tag. The CDATA section contains text that is not rendered by the browser.