Google fixed a bug last month that could have let anyone access an internal Google website and in turn access sensitive data.
The company awarded a hefty $10,000 bounty to the researcher that uncovered it, Ezequiel Pereira, an Uruguayan high school student, last Friday.
Pereira stumbled upon the site out of sheer boredom. The student, who says he wants to become a security researcher, was poking around Google services using Burp Suite to change the Host header in requests to the App Engine’s server early last month. While most of his attempts returned a 404 response, one internal site, yaqs.googleplex.com, had no username/password verification, or any other security measure for that matter.
“I didn’t stumble upon YAQS randomly, I found it with a Google search,” Pereira told Threatpost Thursday, “I searched “site:googleplex.com”, included the omitted results, and it returned a nice list of some Googleplex apps, YAQS among them.”
Googleplex.com hosts internal Google App Engine apps. The site itself points to an internal site, uberproxy.l.google.com, which requires employees to login with a work account; once behind the proxy, requests are routed to the App Engine, Pereira claims.
Once in, Pereira said he saw links to “different sections about Google services and infrastructure,” but what really tipped him off he was on to something was when he saw “Google Confidential” in the footer.
The researcher, who disclosed his findings in a blog post Wednesday, said he didn’t poke and prod around too much and reported it to Google.
Pereira received a response just a few hours after reporting the issue to the company’s Security Team, which triaged the report and confirmed it was valid later that afternoon.
Google told the researcher the size of the reward stemmed from the fact the company’s Security Team “found a few variants that would have allowed an attacker to access sensitive data.” Pereira theorizes that perhaps Google found other internal apps accessible in the same way.
The bug fetched a much higher bounty than Pereira expected.
“I thought to myself ‘Cool, this is probably a small thing that isn’t worth a dime, the website probably had some technical stuff about Google servers and nothing really important,'” Pereira wrote Wednesday.
Pereira, who goes to a computing high school, Universidad del Trabajo del Uruguay, said he first got interested in security when he was 13 and wanted to cheat in online games. After he started getting bored of games, he continued to look into computer security. Pereira told Threatpost that while he has a HackerOne account, he doesn’t use it much and that while he’s found a handful of bugs on Google sites, none of them have been severe enough for such a high bounty.
“I was expecting $500 at most, I thought of it just as a leak of some internal information that didn’t really put Google at risk,” Pereira said, “I don’t know what to do with the money, I might do a trip to somewhere – always wanted to see New York – or to learn how to invest it.”