Google has rewarded a high school student with $10,000 after he found a security flaw that could have been utilized by hackers to access and steal confidential data.
Ezequiel Pereira, hailing from Uruguay, explained in his blog post that he was "bored" one day, so he tried to find a bug in Google. He tried changing the Host header in requests to the Google App Engine server using Burp, a tool for testing Web application security.
Most of his attempts failed, mainly due to '404: Not found' messages being returned to him, or that Google would check if he was using a Google employee's account. However, when he tried another website, he found that it didn't have any security measures. The page redirected him to '/eng,' which to Pereira's surprise contained different sections about Google services and infrastructure.
Digging even deeper, he found something called 'Google Confidential' in the footer. With this discovery in consideration, he went ahead and reported the issue.
A few hours later, he received a response from the company, affirming the flaw. He initially didn't think too much about the discovery. "Cool, this is probably a small thing that isn't worth a dime, the website probably had some technical stuff about Google servers and nothing really important," he wrote.
A few weeks later, however, he realized that his report "was worth much more than a dime." Google informed him that he will receive $10,000 through Google's Vulnerability Reward Program (VRP) over his security report.
Pereira is happy to confirm that Google has since fixed the issue. He also asked Google the reason behind the large reward. "According to Google, the large reward was because they found a few variants that would have allowed an attacker access sensitive data," he concluded.
Source: Ezequiel Pereira via ESET
2 Comments - Add comment