How we got read access on Google’s production servers posted April 2014
The team at Detectify found a way to access files on one of google's production server. Thanks to an old google product (google toolbar) that was using a poorly secured XML parser.
They just used a simple XXE attack where they uploaded a poisoned xml files and saw what the application printed back
a xxe looks like this:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
More on their blog