Jump to content
Sign in to follow this  

Amateur Researcher Finds $10,000 Google Vulnerability

Recommended Posts


Google makes a habit of paying out respectable amounts to people who find flaws in its products, and that is exactly what happened to high schooler Ezequiel Pereira of Uruguay, who netted $10,000 from the search giant in return for finding a simple, but potentially devastating bug that could let outsiders into its internal intranet.


The hack essentially consisted of changing around the host header for a specific set of URLs and just trying different domains until one was found that let the attacker in without any kind of error or security check. Using a penetration tester called Burp, Pereira managed to find and get into “yaqs.googleplex.com”, a site within Google’s internal intranet that just happened to be connected to the internet, and left relatively unsecured.


Using Burp, Pereira was able to cycle through different URLs quickly, and try them from different hostname declarations. There was no real exploit used here; Pereira simply said he was accessing the site from inside Google, and the site believed him.


It seemed to be a harmless page full of categorically arranged information about Google’s departments and services, perhaps left there specifically for security researchers to stumble across. When Pereira happened across a file that was labeled as confidential, he immediately filed a report to Google.


The company got back to him after looking into the issue independently, and had found that the method Pereira was using could eventually have led an attacker to a place in Google’s intranet where they could potentially have found customers’ personal information. When Pereira asked why his reward payout was so high, that was the answer that Google gave him.


Security researchers, both professional and amateur, have managed to find a good number of vulnerabilities and bugs in Google’s programs and services over the years. The company publishes a report every now and then showing how much it has paid out, arranged by what product or service a bug was found in and the severity of the bugs.


This program is instrumental in helping Google to find and squash high-level bugs that may otherwise be exploited to obtain confidential information or help hackers obtain confidential information about Google, its partners, or even users of its services. 


Share this post

Link to post
Share on other sites

not  so much of a Amateur 

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.