Uruguayan high schooler wins $10K for spoofing Google server

A resourceful high school researcher Ezequiel Pereira was rewarded by Google $10,000 bug bounty. This happened when the independent security researcher was able to point out a vulnerability that could grant access to confidential information.

According to the researcher, while he was toying around some of the Google services, it was found that it is possible to enter some of the internal App engine applications by using the vulnerability scanner Burb Suite for modifying the host reader.

Want a Free Website

The researcher found out that unlike other Google services he tested, one of the security measures of the website was not properly set. The website yaqs.googleplex.com easily allowed him to connect even without checking his username or account information. Once he was able to enter the website, he was redirected to a page that contained links to various services and infrastructures for the company. And interestingly the footer indicated towards something as Google confidential. This made the researcher report the issue to Google without wasting any time.

He reported the problem to Google on July 11 and in response to which the company assured him that he will be contacted once the security team is able to assess the severity of the problem. On August 4, the researcher was rewarded with a handsome amount of $10,000 for his effort.

The company did not tell the researcher what kind of information could have been revealed through the website. The company’s cyber security team, however, responded that the large bug bounty was rewarded because some variants of vulnerability were seriously capable of putting the sensitive information at risk. This was the information that could cost millions of dollars to Google.

Via: TNW

Want a Free Website

Written by Hisham Sarwar


That is all you ever need to know about me but let me warn you, freelancing for me is a journey, certainly not a destination :)