Home Hacking News Security researcher has earned a $5000 bounty from Google

Security researcher has earned a $5000 bounty from Google

by Unallocated Author

A security researcher was looking at some Google services hoping to find something worth a bounty until he found a bug and got $5000 bounty.

He came across “https://login.corp.google.com” which is a simple login page that seems to be for Google employees.

login.corp.google.com Login Page

He said that every time the page is reloaded, a new image from “https://static.corp.google.com” is loaded directly into the page.

An example of image URL is: “https://static.corp.google.com/corpsso/images/PICT0004.jpg”

After many tries, he was able to get the default Google 404 error, but with one difference by going to the following URL:

Special Google 404 Page

A feature called “Re-run query with SFFE debug trace” pointed to:

The debugging page contained various parts of information, providing the server name and internal IP, X-FrontEnd (XFE) HTTP requests, service policies, and other information that is related to Cloud Bigtable.

information disclosure

The issue was reported to Google on January 19, but a permanent fix was rolled out on March 16. Google rewarded the researcher $5,000 for this big, which is the maximum bounty of information disclosure bug. Google has spent out more than $9 million since the start of its bug bounty program in 2010, the highest single reward in 2016 was $100,000.


You may also like