back to article Schoolboy bags $10,000 reward from Google with easy HTTP Host bypass

A teenager in Uruguay has scored big after finding and reporting a bug in Google's App Engine to view confidential internal Google documents. While bored in July, high schooler Ezequiel Pereira, who has all the makings of a competent security researcher, used Burp to manipulate the Host header in web connections to Google's …

Hmmmm....

Hacking US of A commercial web pages?

Obtaining monetary gain from the activity?

He should probably stay away from DEF-CON... (Yes, I know. I'm joking. Well, probably... :-( ).

31
0
Bronze badge

Re: Hmmmm....

I'd suggest membership of EFF might be a reasonable insurance policy if he does plan to travel.

12
0

This post has been deleted by its author

Silver badge

Kudos to all involved

Firstly, to the kid for responsive disclosure and for being so level headed ("I just think it was a very simple bug")

Secondly to Google for just paying the bounty. Certain other companies would try and get the kid hit with some ridiculous charge or threaten if he so much as farts in public they'll throw the book at him.

Textbook stuff.

32
0
Silver badge

Re: Kudos to all involved

Responsible disclosure. Freaking autocarrot.

9
0
Anonymous Coward

Re: Kudos to all involved

hmm, the kid was purposefully trying to pentest Google. And he "stopped". Maybe he was just lucky, to be looking for trouble, and surviving without getting Men in Black to pick him up?

I believe in luck, had I a choice I would only hire people who can show they are lucky, luck begets luck, and any company should buy as much luck as it can. This kid is lucky. BTW, I believe the average income for Urugay is like $800

Alas, the really lucky ones run away from like like the plague...:-(

I'm happy if someone can tell me during an interview that they won a school raffle...

4
1
Silver badge

Re: Kudos to all involved

Google has well thought out policies about what is permissible. The $10K looks to be for "Logic flaw bugs leaking or bypassing significant security controls" with "remote user impersonation" listed explicitly as an example. If you were strictly applying the rules you could argue that "Never attempt to access anyone else's data" wasn't followed, but there is also an argument that he couldn't know he would be accessing confidential data before it redirected him, so it isn't like he's trying to access another user's Gmail or something I think they probably just appreciated that they know about it before* it was maliciously exploited.

*Probably

1
0

Re: Kudos to all involved

Although maybe no Kudos to the dev(s) who failed to confirm they were checking the authority of any access and to the tester(s) who failed to try and access it without the correct authority.

I'd be pushing 'yaqs' back into the testing team for a full going over - if they didn't bother with even the basic authorisation checking did they validate query strings and form fields for tampering?

0
0
Silver badge

Re: Kudos to all involved

@AC

I believe in luck, had I a choice I would only hire people who can show they are lucky

Well here's a simple tip: Before interviewing, take half the applications and bin them.

9
0

Re: Kudos to all involved

My guess is yaq utilizes auth or certificates or other web server based security, which is enabled on the internal server, but not the external one. Probably some other developer or team decided it was very neat and scalable to have all vhosts on one big virtual filesystem. A quick fix would be some internal/external read permissions on that file system. But really, prod/dev/internal should be separated all the way down the stack to avoid things like this. Google can afford a few more hosts to accomplish this.

0
0
Childcatcher

that "email from Google" looks like a Nigerian scam

send it to every South of the Border kid with a Github. Ask $25 so they can access their payout, "for exchange rates fees".

I should charge a percentage...

6
0
Anonymous Coward

There are an infinite number of monkeys out there

who are happy to pen test your network for peanuts.

2
0
Silver badge
Happy

Re: There are an infinite number of monkeys out there

"who are happy to pen test your network for peanuts."

Multitasking whilst writing Shakespeare?

5
0
Silver badge

Re: There are an infinite number of monkeys out there

Like this?

https://en.wikipedia.org/wiki/Fuzzing

3
0

If that kid values his freedom then attending DEF-CON physically should be out of the cards now.

Investing a portion of those 10k in a good videoconferencing rig is the safe option if he plans to attend DEF-CON in the future.

4
0
Silver badge

"For a schoolboy in Uruguay that's a serious amount of cash – it's five times the average monthly salary"

FUUUUUUUUUUUUUUUU.... ahem. Apparently an easy way to literally multiply my salary several times would be to move from EU to Uruguay. Well, there's one I didn't see coming...

1
0
Silver badge
Flame

It 4.6 times MY monthly salary, in the UK :(

6
0
Silver badge
Joke

"It 4.6 times MY monthly salary, in the UK :("

I take mine black, like my coal.

1
0
Anonymous Coward

All well and good but he's probably not welcome to have a job there ;c)

0
0
Bronze badge

Kudos!

Kudos to this kid, but I would advise to *never* travel via the US from now on...

Fly via Canada, or Cuba, or Mexico, or Spain...

2
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017