Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Expert Earns $5,000 for Google Intranet Vulnerability

A researcher has earned a $5,000 bounty from Google after finding an information disclosure vulnerability in the login page for the tech giant’s intranet system.

A researcher has earned a $5,000 bounty from Google after finding an information disclosure vulnerability in the login page for the tech giant’s intranet system.

Austria-based researcher David Wind was looking for a vulnerable Google service that could earn him a bug bounty when he came across login.corp.google.com, the login page for Google’s intranet, which is dubbed “MOMA.”

The login page is simple, but it does load a random image from static.corp.google.com every time it’s accessed. After unsuccessful attempts to obtain something from this domain, Wind generated a 404 error page by adding a random string to the URL.

Unlike other error pages displayed by Google to users, this one contained a link named “Re-run query with SFFE debug trace,” which pointed to the same URL with the string “?deb=trace” at the end.

The debugging page included various pieces of information, including server name and internal IP, X-FrontEnd (XFE) HTTP requests, service policies, and information related to Cloud Bigtable, Google’s NoSQL big data database service.

“The page did not allow any user interaction and I haven’t found anything to ‘go deeper’ into the system so I reported it right away,” Wind said on his blog.

Google awarded the researcher $5,000 for his findings, which is the maximum amount for information leaks affecting highly sensitive applications.

The vulnerability was reported to Google on January 19 and a short-term fix was implemented some days later. The company told Wind that a permanent fix was rolled out on March 16.

Advertisement. Scroll to continue reading.

The $5,000 reward earned by the researcher is significant compared to what other bug bounty programs pay, but it’s small at Google’s standards, which offers more than $30,000 for remote code execution vulnerabilities.

The company has so far paid out more than $9 million since the launch of its bug bounty program in 2010, including over $3 million last year. The biggest single reward in 2016 was $100,000.

Related: No Prizes Awarded in Google’s Android Hacking Contest

Related: Google Patches Serious Account Recovery Vulnerabilities

Related: Google Cloud Platform Flaw Earns Researcher $5,000

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights