Google has rewarded a Uruguayan student with $10,000 after he exposed a security flaw that could allow hackers to access sensitive data.
Ezequiel Pereira discovered the vulnerability in Google’s App Engine server after changing the Host header in requests to the server using Burp.
The high-school student explained in a blog post, “I was bored, so tried to find some bug at Google”.
Following several failed attempts, he managed to gain access to an internal webpage that did not check his username or require any other security measure.
It was here that Pereira was redirected to the page, “/eng”, and was surprised to find himself somewhere that Google never intended him to be.
After reading something in the ‘Google Confidential’ footer, he decided to stop and “reported the issue right away”.
A member of Google’s security team replied saying they would look into the issue and respond to him once they had reviewed the bug.
At this point the student thought very little would come from it, "Cool, this is probably a small thing that isn't worth a dime, the website probably had some technical stuff about Google servers and nothing really important", he said.
As it turned out the issue he found was worth a lot more than a dime and Google informed him that his reported bug would see him receive $10,000 from Google’s Vulnerability Reward Program (VRP).
In 2013 Google broadened their VPR policy to include a selection of high-risk software applications, primarily designed for networking. Its previous bug bounty program focused mostly on Google products.
The Uruguayan student said that he wants to become a security researcher in the future and was understandably delighted and also confirmed the issue has been resolved, “The bug has been fixed now, and, according to Google, the large reward was because they found a few variants that would have allowed an attacker access sensitive data”, he added.