Batu69 Posted August 11, 2017 Share Posted August 11, 2017 Google makes a habit of paying out respectable amounts to people who find flaws in its products, and that is exactly what happened to high schooler Ezequiel Pereira of Uruguay, who netted $10,000 from the search giant in return for finding a simple, but potentially devastating bug that could let outsiders into its internal intranet. The hack essentially consisted of changing around the host header for a specific set of URLs and just trying different domains until one was found that let the attacker in without any kind of error or security check. Using a penetration tester called Burp, Pereira managed to find and get into “yaqs.googleplex.com”, a site within Google’s internal intranet that just happened to be connected to the internet, and left relatively unsecured. Using Burp, Pereira was able to cycle through different URLs quickly, and try them from different hostname declarations. There was no real exploit used here; Pereira simply said he was accessing the site from inside Google, and the site believed him. It seemed to be a harmless page full of categorically arranged information about Google’s departments and services, perhaps left there specifically for security researchers to stumble across. When Pereira happened across a file that was labeled as confidential, he immediately filed a report to Google. The company got back to him after looking into the issue independently, and had found that the method Pereira was using could eventually have led an attacker to a place in Google’s intranet where they could potentially have found customers’ personal information. When Pereira asked why his reward payout was so high, that was the answer that Google gave him. Security researchers, both professional and amateur, have managed to find a good number of vulnerabilities and bugs in Google’s programs and services over the years. The company publishes a report every now and then showing how much it has paid out, arranged by what product or service a bug was found in and the severity of the bugs. This program is instrumental in helping Google to find and squash high-level bugs that may otherwise be exploited to obtain confidential information or help hackers obtain confidential information about Google, its partners, or even users of its services. Article source Link to comment Share on other sites More sharing options...
pc71520 Posted August 11, 2017 Share Posted August 11, 2017 Quote Amateur Researcher Finds $10,000 Google Vulnerability Lucky guy. Link to comment Share on other sites More sharing options...
vitorio Posted August 11, 2017 Share Posted August 11, 2017 Yes indeed. Persistent pays. Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted August 11, 2017 Share Posted August 11, 2017 not so much of a Amateur Link to comment Share on other sites More sharing options...
pc71520 Posted August 12, 2017 Share Posted August 12, 2017 22 hours ago, knowledge said: not so much of a Amateur Kind of a Pro... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.