Uruguayan high school student Ezequiel Pereira, who has aspirations of becoming a security researcher one day, has been awarded $10,000 for discovering and reporting a vulnerability in Google’s App Engine server.
While poking around App Engine by changing the Host header in requests sent to the server (*.appspot.com) – in an attempt to get access to internal App Engine apps (*.googleplex.com), Pereira stumbled upon a website that had no security measure in place.
Users accessing apps on googleplex.com are usually required to go through the MOMA login page, which acts as a proxy called “ÜberProxy.”
According to the student, who was using Burp for this endeavor because it allows to easily change the Host header and see the result, most of his attempts to access App Engine apps failed. The server was either returning a 404 Not Found error or was checking whether the request was coming from a Googler account (“[email protected]”) instead of a normal Google account.
Eventually, however, he stumbled upon yaqs.googleplex.com, where no username check was performed and where other security measures also appeared to be lacking.
“The website’s homepage redirected me to ‘/eng’, and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before I visited any section, I read something in the footer: ‘Google Confidential’,” Pereira explains.
Immediately after discovering the issue, the student retraced the steps to make sure it could be reproduced, and then reported the vulnerability to Google, without further poking at the website.
To reproduce the bug using Burp, one would have to go to the Repeater tab, set the target host to “www.appspot.com” and the target port to “443,” then check the “Use HTTPS” option, write a raw HTTP request: GET /eng HTTP/1.1
(the request also includes two empty lines at the end), and hit Go.
By exploiting the vulnerability, an attacker could access “an internal Google website,” the student alleges.
The report was immediately confirmed by Google as valid, and the company informed Pereira several weeks later that he was awarded $10,000 for the discovery. Apparently, Google discovered a “few variants [of the exploit] that would have allowed an attacker access sensitive data,” which explains the high reward amount.