Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Expert Earns $5,000 for Google Intranet Vulnerability

A researcher has earned a $5,000 bounty from Google after finding an information disclosure vulnerability in the login page for the tech giant’s intranet system.

A researcher has earned a $5,000 bounty from Google after finding an information disclosure vulnerability in the login page for the tech giant’s intranet system.

Austria-based researcher David Wind was looking for a vulnerable Google service that could earn him a bug bounty when he came across, the login page for Google’s intranet, which is dubbed “MOMA.”

The login page is simple, but it does load a random image from every time it’s accessed. After unsuccessful attempts to obtain something from this domain, Wind generated a 404 error page by adding a random string to the URL.

Unlike other error pages displayed by Google to users, this one contained a link named “Re-run query with SFFE debug trace,” which pointed to the same URL with the string “?deb=trace” at the end.

The debugging page included various pieces of information, including server name and internal IP, X-FrontEnd (XFE) HTTP requests, service policies, and information related to Cloud Bigtable, Google’s NoSQL big data database service.

“The page did not allow any user interaction and I haven’t found anything to ‘go deeper’ into the system so I reported it right away,” Wind said on his blog.

Google awarded the researcher $5,000 for his findings, which is the maximum amount for information leaks affecting highly sensitive applications.

The vulnerability was reported to Google on January 19 and a short-term fix was implemented some days later. The company told Wind that a permanent fix was rolled out on March 16.

The $5,000 reward earned by the researcher is significant compared to what other bug bounty programs pay, but it’s small at Google’s standards, which offers more than $30,000 for remote code execution vulnerabilities.

The company has so far paid out more than $9 million since the launch of its bug bounty program in 2010, including over $3 million last year. The biggest single reward in 2016 was $100,000.

Related: No Prizes Awarded in Google’s Android Hacking Contest

Related: Google Patches Serious Account Recovery Vulnerabilities

Related: Google Cloud Platform Flaw Earns Researcher $5,000

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.