On July 11th, Uruguayan high school student Ezequiel Pereira was bored, aimlessly playing around with some Google services, has discovered a vulnerability that enabled coaxing one of the company’s back-end servers into granting attackers access to secret data.
Ezequiel used the popular vulnerability scanner Burp Suite to change the host header and that made it possible to access some internal App Engine applications such as *.googleplex.com.
According to the researcher:
“I tried a lot of things in many Google services, one of those things was changing the Host header in requests to the App Engine server (*.appspot.com) in order to get access to some internal App Engine apps (*.googleplex.com) that usually require going through the MOMA login page (Which acts as a proxy called “ÜberProxy”). I used Burp because it was easier to change the Host header quickly and to see the result.”
Most of my attempts failed, either because the server returned a 404 Not Found, or because it had some security measure such as checking that I used a Googler account (“[email protected]”) instead of a normal Google account. But one of the websites I tried, “yaqs.googleplex.com”, didn’t check my username, nor had any other security measure.
Quickly after he found the bug, he reviewed the steps to make sure it could be reproduced and then reported the issue to Google.
Google confirmed the report quickly and notified the researcher later that he was awarded $10,000 for the discovery.