Security Experts:

Expert Earns $5,000 for Google Intranet Vulnerability

A researcher has earned a $5,000 bounty from Google after finding an information disclosure vulnerability in the login page for the tech giant’s intranet system.

Austria-based researcher David Wind was looking for a vulnerable Google service that could earn him a bug bounty when he came across login.corp.google.com, the login page for Google’s intranet, which is dubbed “MOMA.”

The login page is simple, but it does load a random image from static.corp.google.com every time it’s accessed. After unsuccessful attempts to obtain something from this domain, Wind generated a 404 error page by adding a random string to the URL.

Unlike other error pages displayed by Google to users, this one contained a link named “Re-run query with SFFE debug trace,” which pointed to the same URL with the string “?deb=trace” at the end.

The debugging page included various pieces of information, including server name and internal IP, X-FrontEnd (XFE) HTTP requests, service policies, and information related to Cloud Bigtable, Google's NoSQL big data database service.

“The page did not allow any user interaction and I haven’t found anything to ‘go deeper’ into the system so I reported it right away,” Wind said on his blog.

Google awarded the researcher $5,000 for his findings, which is the maximum amount for information leaks affecting highly sensitive applications.

The vulnerability was reported to Google on January 19 and a short-term fix was implemented some days later. The company told Wind that a permanent fix was rolled out on March 16.

The $5,000 reward earned by the researcher is significant compared to what other bug bounty programs pay, but it’s small at Google’s standards, which offers more than $30,000 for remote code execution vulnerabilities.

The company has so far paid out more than $9 million since the launch of its bug bounty program in 2010, including over $3 million last year. The biggest single reward in 2016 was $100,000.

Related: No Prizes Awarded in Google's Android Hacking Contest

Related: Google Patches Serious Account Recovery Vulnerabilities

Related: Google Cloud Platform Flaw Earns Researcher $5,000

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.