Hmmmm....
Hacking US of A commercial web pages?
Obtaining monetary gain from the activity?
He should probably stay away from DEF-CON... (Yes, I know. I'm joking. Well, probably... :-( ).
A teenager in Uruguay has scored big after finding and reporting a bug in Google's App Engine to view confidential internal Google documents. While bored in July, high schooler Ezequiel Pereira, who has all the makings of a competent security researcher, used Burp to manipulate the Host header in web connections to Google's …
This post has been deleted by its author
Firstly, to the kid for responsive disclosure and for being so level headed ("I just think it was a very simple bug")
Secondly to Google for just paying the bounty. Certain other companies would try and get the kid hit with some ridiculous charge or threaten if he so much as farts in public they'll throw the book at him.
Textbook stuff.
hmm, the kid was purposefully trying to pentest Google. And he "stopped". Maybe he was just lucky, to be looking for trouble, and surviving without getting Men in Black to pick him up?
I believe in luck, had I a choice I would only hire people who can show they are lucky, luck begets luck, and any company should buy as much luck as it can. This kid is lucky. BTW, I believe the average income for Urugay is like $800
Alas, the really lucky ones run away from like like the plague...:-(
I'm happy if someone can tell me during an interview that they won a school raffle...
Google has well thought out policies about what is permissible. The $10K looks to be for "Logic flaw bugs leaking or bypassing significant security controls" with "remote user impersonation" listed explicitly as an example. If you were strictly applying the rules you could argue that "Never attempt to access anyone else's data" wasn't followed, but there is also an argument that he couldn't know he would be accessing confidential data before it redirected him, so it isn't like he's trying to access another user's Gmail or something I think they probably just appreciated that they know about it before* it was maliciously exploited.
*Probably
Although maybe no Kudos to the dev(s) who failed to confirm they were checking the authority of any access and to the tester(s) who failed to try and access it without the correct authority.
I'd be pushing 'yaqs' back into the testing team for a full going over - if they didn't bother with even the basic authorisation checking did they validate query strings and form fields for tampering?
My guess is yaq utilizes auth or certificates or other web server based security, which is enabled on the internal server, but not the external one. Probably some other developer or team decided it was very neat and scalable to have all vhosts on one big virtual filesystem. A quick fix would be some internal/external read permissions on that file system. But really, prod/dev/internal should be separated all the way down the stack to avoid things like this. Google can afford a few more hosts to accomplish this.
This post has been deleted by its author