Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Pays $10,000 Bug Bounty to High School Student

Uruguayan high school student Ezequiel Pereira, who has aspirations of becoming a security researcher one day, has been awarded $10,000 for discovering and reporting a vulnerability in Google’s App Engine server.

Uruguayan high school student Ezequiel Pereira, who has aspirations of becoming a security researcher one day, has been awarded $10,000 for discovering and reporting a vulnerability in Google’s App Engine server.

While poking around App Engine by changing the Host header in requests sent to the server (*.appspot.com) – in an attempt to get access to internal App Engine apps (*.googleplex.com), Pereira stumbled upon a website that had no security measure in place.

Users accessing apps on googleplex.com are usually required to go through the MOMA login page, which acts as a proxy called “ÜberProxy.”

According to the student, who was using Burp for this endeavor because it allows to easily change the Host header and see the result, most of his attempts to access App Engine apps failed. The server was either returning a 404 Not Found error or was checking whether the request was coming from a Googler account (“[email protected]”) instead of a normal Google account.

Eventually, however, he stumbled upon yaqs.googleplex.com, where no username check was performed and where other security measures also appeared to be lacking.

“The website’s homepage redirected me to ‘/eng’, and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before I visited any section, I read something in the footer: ‘Google Confidential’,” Pereira explains.

Immediately after discovering the issue, the student retraced the steps to make sure it could be reproduced, and then reported the vulnerability to Google, without further poking at the website.

To reproduce the bug using Burp, one would have to go to the Repeater tab, set the target host to “www.appspot.com” and the target port to “443,” then check the “Use HTTPS” option, write a raw HTTP request: GET /eng HTTP/1.1

Advertisement. Scroll to continue reading.

Host: yaqs.googleplex.com

(the request also includes two empty lines at the end), and hit Go.

By exploiting the vulnerability, an attacker could access “an internal Google website,” the student alleges.

The report was immediately confirmed by Google as valid, and the company informed Pereira several weeks later that he was awarded $10,000 for the discovery. Apparently, Google discovered a “few variants [of the exploit] that would have allowed an attacker access sensitive data,” which explains the high reward amount.

Related: Google Paid Out $9 Million in Bug Bounties Since 2010

Related: Expert Earns $5,000 for Google Intranet Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.