By Shane Curtis
Google has rewarded a Uruguayan student with
$10,000 after he exposed a security flaw that could allow hackers to access
sensitive data.
Ezequiel Pereira discovered the vulnerability in
Google’s App Engine server after changing the Host header in requests to the
server using Burp.
The high-school student explained in a blog post, “I was bored, so tried to find some bug at Google”.
Following several failed attempts, he managed to
gain access to an internal webpage that did not check his username or require
any other security measure.
It was here that Pereira was redirected to the
page, “/eng”, and was surprised to find himself somewhere that Google never
intended him to be.
After reading something in the ‘Google
Confidential’ footer, he decided to stop and “reported the issue right away”.
A member of Google’s security team replied saying
they would look into the issue and respond to him once they had reviewed the
bug.
At this point the student thought very little would
come from it, “Cool, this is probably a small thing that isn’t worth a dime,
the website probably had some technical stuff about Google servers and nothing
really important”, he said.
As it turned out the issue he found was worth a lot
more than a dime and Google informed him that his reported bug would see him
receive $10,000 from Google’s Vulnerability Reward Program (VRP).
In 2013 Google broadened their VPR policy to
include a selection of high-risk software applications, primarily designed for
networking. Its previous bug bounty program focused mostly on Google products.
The Uruguayan student said that he wants to become
a security researcher in the future and was understandably delighted and also
confirmed the issue has been resolved, “The bug has been fixed now, and,
according to Google, the large reward was because they found a few variants that
would have allowed an attacker access sensitive data”, he added.