
$7.5k Google services mix-up (2018) - sillysaurusx
https://sites.google.com/site/testsitehacking/-7-5k-Google-services-mix-up
======
shockinglytrue
I think any xoogler will agree
[https://sites.google.com/site/testsitehacking/-36k-google-
ap...](https://sites.google.com/site/testsitehacking/-36k-google-app-engine-
rce) is far more impressive.

It seems fairly safe to assume someone has already snapped this guy up. I
can't recall the last time I felt so impressed reading some security writeup

~~~
jchw
This one was good too, especially because the screenshot definitely gave many
some heart palpitations.

[https://opnsec.com/2018/07/into-the-borg-ssrf-inside-
google-...](https://opnsec.com/2018/07/into-the-borg-ssrf-inside-google-
production-network/)

~~~
saagarjha
That's a _lot_ of internal information. I'm not sure I'd be comfortable
publishing that, even if the company was friendly to security researchers.

~~~
jchw
I think if I were an outsider I would’ve probably gotten pretty shy just after
discovering an internal SSRF at a big corp. However, that also probably
explains why I am not a security researcher.

------
mbroshi
I think the link should be here:
[https://www.ezequiel.tech/2019/01/75k-google-cloud-
platform-...](https://www.ezequiel.tech/2019/01/75k-google-cloud-platform-
organization.html)

And the date should be (2019)

~~~
floatingatoll
It was first posted at this URL in 2018-02:

[https://web.archive.org/web/20180215070105/https://sites.goo...](https://web.archive.org/web/20180215070105/https://sites.google.com/site/testsitehacking/-7-5k-Google-
services-mix-up)

------
nerdbaggy
I wonder if they detected the exploit an hour after he did because of internal
alarms he was setting off.

------
saagarjha
Previous RCE by the author, which earned them a $36k bug bounty:
[https://news.ycombinator.com/item?id=17118326](https://news.ycombinator.com/item?id=17118326)

------
londons_explore
My guess is the "independant discovery 1 hour earlier" wasn't truly
independent.

I'd guess that by messing with this stuff, it probably broke some internal
systems that ended up firing alerts to engineers internally. Those engineers
then 'discovered' the bug, and started fixing it.

Most systems at scale are designed to reject bad input, log it, but nobody
takes any action.

A few systems have to process _every_ record in order. For example, the
billing system might go through every entry in a database table and add them
to bills. If just _one_ entry is malformed in some way and can't be added to
the bill, it is retried. If there isn't success after a few retries, the whole
process fails, and an engineer is paged to sort the problem.

I saw this kind of thing multiple times... You think you have fully sanitized
every input, but someone always finds a way to add a 30 gigabyte surname to
the addressbook, choose a profile image with negative dimensions, have a
million devices share the same mac address, etc.

------
lstamour
Note the timeline says this occurred in early 2018. The $7.5k is the reward,
the bug itself was with Google Cloud API management and could theoretically
allow users to enable billable APIs without enabling billing, or to access
private APIs or to disable APIs for third-party projects.

------
Narkov
> About me > I am 18-year-old student at the University of the Republic

So impressive! This is great work.

------
Gunax
Damn... One hour. It's like the patenting of the telephone all over again.

