back to article Schoolboy bags $10,000 reward from Google with easy HTTP Host bypass

A teenager in Uruguay has scored big after finding and reporting a bug in Google's App Engine to view confidential internal Google documents. While bored in July, high schooler Ezequiel Pereira, who has all the makings of a competent security researcher, used Burp to manipulate the Host header in web connections to Google's …

  1. The_Idiot

    Hmmmm....

    Hacking US of A commercial web pages?

    Obtaining monetary gain from the activity?

    He should probably stay away from DEF-CON... (Yes, I know. I'm joking. Well, probably... :-( ).

    1. mathew42

      Re: Hmmmm....

      I'd suggest membership of EFF might be a reasonable insurance policy if he does plan to travel.

    2. This post has been deleted by its author

  2. Adam 1

    Kudos to all involved

    Firstly, to the kid for responsive disclosure and for being so level headed ("I just think it was a very simple bug")

    Secondly to Google for just paying the bounty. Certain other companies would try and get the kid hit with some ridiculous charge or threaten if he so much as farts in public they'll throw the book at him.

    Textbook stuff.

    1. Adam 1

      Re: Kudos to all involved

      Responsible disclosure. Freaking autocarrot.

    2. Anonymous Coward
      Anonymous Coward

      Re: Kudos to all involved

      hmm, the kid was purposefully trying to pentest Google. And he "stopped". Maybe he was just lucky, to be looking for trouble, and surviving without getting Men in Black to pick him up?

      I believe in luck, had I a choice I would only hire people who can show they are lucky, luck begets luck, and any company should buy as much luck as it can. This kid is lucky. BTW, I believe the average income for Urugay is like $800

      Alas, the really lucky ones run away from like like the plague...:-(

      I'm happy if someone can tell me during an interview that they won a school raffle...

      1. Adam 1

        Re: Kudos to all involved

        Google has well thought out policies about what is permissible. The $10K looks to be for "Logic flaw bugs leaking or bypassing significant security controls" with "remote user impersonation" listed explicitly as an example. If you were strictly applying the rules you could argue that "Never attempt to access anyone else's data" wasn't followed, but there is also an argument that he couldn't know he would be accessing confidential data before it redirected him, so it isn't like he's trying to access another user's Gmail or something I think they probably just appreciated that they know about it before* it was maliciously exploited.

        *Probably

      2. Prst. V.Jeltz Silver badge

        Re: Kudos to all involved

        @AC

        I believe in luck, had I a choice I would only hire people who can show they are lucky

        Well here's a simple tip: Before interviewing, take half the applications and bin them.

    3. maffski

      Re: Kudos to all involved

      Although maybe no Kudos to the dev(s) who failed to confirm they were checking the authority of any access and to the tester(s) who failed to try and access it without the correct authority.

      I'd be pushing 'yaqs' back into the testing team for a full going over - if they didn't bother with even the basic authorisation checking did they validate query strings and form fields for tampering?

      1. Random Q Hacker

        Re: Kudos to all involved

        My guess is yaq utilizes auth or certificates or other web server based security, which is enabled on the internal server, but not the external one. Probably some other developer or team decided it was very neat and scalable to have all vhosts on one big virtual filesystem. A quick fix would be some internal/external read permissions on that file system. But really, prod/dev/internal should be separated all the way down the stack to avoid things like this. Google can afford a few more hosts to accomplish this.

  3. anonCoward24
    Childcatcher

    that "email from Google" looks like a Nigerian scam

    send it to every South of the Border kid with a Github. Ask $25 so they can access their payout, "for exchange rates fees".

    I should charge a percentage...

  4. Anonymous Coward
    Anonymous Coward

    There are an infinite number of monkeys out there

    who are happy to pen test your network for peanuts.

    1. hplasm
      Happy

      Re: There are an infinite number of monkeys out there

      "who are happy to pen test your network for peanuts."

      Multitasking whilst writing Shakespeare?

    2. This post has been deleted by its author

  5. el kabong

    If that kid values his freedom then attending DEF-CON physically should be out of the cards now.

    Investing a portion of those 10k in a good videoconferencing rig is the safe option if he plans to attend DEF-CON in the future.

  6. DropBear

    "For a schoolboy in Uruguay that's a serious amount of cash – it's five times the average monthly salary"

    FUUUUUUUUUUUUUUUU.... ahem. Apparently an easy way to literally multiply my salary several times would be to move from EU to Uruguay. Well, there's one I didn't see coming...

    1. Prst. V.Jeltz Silver badge
      Flame

      It 4.6 times MY monthly salary, in the UK :(

      1. Sir Runcible Spoon
        Joke

        "It 4.6 times MY monthly salary, in the UK :("

        I take mine black, like my coal.

  7. Anonymous Coward
    Anonymous Coward

    All well and good but he's probably not welcome to have a job there ;c)

  8. anothercynic Silver badge

    Kudos!

    Kudos to this kid, but I would advise to *never* travel via the US from now on...

    Fly via Canada, or Cuba, or Mexico, or Spain...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like