
Google bug bounty for security exploit that influences search results - TomAnthony
http://www.tomanthony.co.uk/blog/google-xml-sitemap-auth-bypass-black-hat-seo-bug-bounty/
======
jaboutboul
Google should be ashamed of themselves for this meaningless, token “make
ourselves feel good” payout. They have straight up exploited the reporter of
the exploit.

This could have been used to make millions and they took advantage of the
reporter’s good faith and benevolent motivations.

Google, this is worth at least $1,0000,000 to you guys, and even more, in lost
revenue, plus the impact of what gaming your search algorithm would have cost
and damage to your reputation. Stop taking advantage of people.

Give this man what he deserves!

~~~
EADGBE
His console says 33.2k of ad buys. I'd say it's worth _at least_ that much to
them.

It's literally their numbers spitting out how much it would have cost!

But hey, at least it's Leet.

~~~
esnard
It was a SEMRush screenshot, not related to Google, so it wasn't their
numbers.

~~~
EADGBE
Apologies. Definitely an estimated start.

------
x0x
@TomAnthony, This is f*up, google should of given you at least $1,337,000
bounty for this. This is one of the most profitable exploits I've seen
discovered by anyone. Plus you've done the right thing and reported it. Good
job on this discovery!

"I have a couple of other ideas for search related attacks, but am not sure
I'm going to explore them any longer."

You're valuing yourself way too low. You've done a good job with this and
should receive more bounty for it. Also see if you can earn more for doing
research else where; [https://www.bugcrowd.com/bug-bounty-
list/](https://www.bugcrowd.com/bug-bounty-list/) Also maybe use something
like; [https://www.hackerone.com/](https://www.hackerone.com/)

------
TomAnthony
To answer a few FAQs I've had over the last few days:

\- I've not seen a confirmed use of this in the wild yet, despite a few people
emailing me stories where they suspect it.

\- I am unsure what is with the bug bounty amount. I think either:

    
    
      1) The various teams didn't communicate well about the impact until after the award,
      2) I haven't fully understood the bug, however as per VRP rules I stopped when I had "discovered a potential security issue", at which point "The panel will consider the maximum impact". It may be I've not understood the impact fully.
      3) They want to discourage SEO type research as opposed to pure security research, but I doubt that is the case and it doesn't match up with my previous dealings with the team.
    

\- There are a few technical details not in the article (for example I believe
the sitemap has to be an sitemap index file), but nothing that greatly changes
it.

\- If you are concerned you are affected, I'm happy to take a quick look at
your data for free (tom.anthony@distilled.net) to see if I have any insights.

\- The best/only way to detect this being done to you is to find the 301/302
redirects for the sitemap in your server logs.

~~~
londons_explore
Google doesn't issue rewards for SEO tricks. My guess is your sitemap
redirection trick could be used to leak data about the victim site (search
terms, traffic stats, malware urls), or to do other privileged actions on
behalf of the victim site now the two domains were linked (for example sign up
for google apps or trigger rate limits DoS'ing the victims ability to use
certain API's)

~~~
TomAnthony
Perhaps. We could argue the semantics of it, but it feels within the spirit of
the VRP. It directly impacts the secure and correct functioning of a (the!)
core Google service.

The VRP page [0] talks about the "maximum impact" and this impacts users and
advertisers, as well as businesses relying on organic Google traffic.

However, I take your point - I'm aware this is not a typical sort of issue for
a bounty.

To reiterate - I am grateful to Google that they run the bounty programme and
that they awarded a bounty for this. I've previously reported several issues
(e.g. [1]) that have not been rewarded any bounty, which is the nature of the
programme and absolutely fine.

[0] [https://www.google.com/about/appsecurity/reward-
program/](https://www.google.com/about/appsecurity/reward-program/) [1]
[http://www.tomanthony.co.uk/blog/confirm-google-users-
email/](http://www.tomanthony.co.uk/blog/confirm-google-users-email/)

------
eyeareque
I’ve worked at other companies in teams that take these security reports in.
There’s no excuse for their long delays in response, you showed them clear
abuse immediately. I wish you would have given them the tavis experience. Next
time use Google’s own terms, with a set date on when you will publish to put
pressure on them. They do this to others and need to be held to the same
standards.

Nice work! It is amazing how a bug that so many people don’t care about (open
redirects) could have been exploited Google’s prime income generator.

If nothing else, you can use this as a nice gem on your resume, which can help
you get more interviews or better paying jobs in the future.

------
matuszeg
$1337 is not enough money. A bug like this if used secretly and correctly
could have made millions easily.

~~~
TomAnthony
I think if it worked more broadly (I couldn't test without risk at that point)
you could make decent money off of this just through affiliate programs.

I've been doing research like this for 5+ years, and you go in knowing most if
it won't lead to anything. I'd hoped for more, but I could have simply failed
again and got nothing! :)

As I've said below, I'd have reported it anyway even without a bounty; however
I probably wouldn't have done the research in the first place were there not a
bug bounty programme.

I've previously had 2 bounties from Google. One was an easy find and was also
$1337. The other was more technical but still straight forward and also played
to SEO and got $5000 - in that instance Matt Cutts was involved and I believe
advocated for the amount (thanks, Matt!). This was far more impactful than
that other issue, and more directly monetisable.

~~~
downandout
I do have to ask...were you at all tempted to try to monetize this? The guys
in the BHW thread aren’t wrong about the potential. I applaud you for taking
the high road, I’m just curious if the thought of giving away probably low six
figures/day for $1337 nags at you at all.

~~~
TomAnthony
It is a good question. I wouldn't have monetised this and would have still
report it, because doing so would hurt legitimate businesses (by pushing them
out of the results).

However, I have to admit it does nag at me a bit that the bounty is so small -
it is like they are trying to send a message but I'm just not sure what it is!

I have done loads of research over the last 5 years (this exploit took me a
couple of months to craft) and most comes to nothing, and then when I do find
something big that the bounty is so small is frustrating. A bigger bounty
would have made a meaningful difference to me (kids+no savings!).

The broader issue is how this may play to motivating people to discover/report
these sorts of issues in the future. I have a couple of other ideas for search
related attacks, but am not sure I'm going to explore them any longer.

~~~
emerongi
This is a straight-up 100k-500k bug. If I were to discover this bug and know
I'd only get $1k and be a "good guy" vs. getting millions, well...

The fact is that these bug bounty programs should start paying competitive
prices. They can lowball it by 10x-20x at most, but lowballing by 1000x leads
to people just giving up their ethics.

~~~
um_ya
Almost as if a bug bounty program should show the effect of the bug before
explaining how it works. Then, Google will be more inclined to pay more if it
wants the info on how the bug works.

------
danso
This is an incredible bug, not just for its severity, but for its relative
simplicity. And of course because it targets one of the most ubiquitous and
popular and ostensibly secure software interfaces ever.

Also very interesting how long it took for them to figure out a solution. The
bug report was filed and acknowledged in late September. According to the
author, Google struggled with how to fix the issue for several months, even
though the fix seemed simple ("don’t follow cross-domain redirects for pinged
sitemaps").

~~~
detaro
Seemed simple. If legitimate customers do that too, it suddenly is not so
simple.

~~~
danso
To clarify, by "simple", I meant that the bug was discoverable, exploitable,
and testable by Google's own public interface -- i.e. didn't require the
researcher to break into anything, or find an otherwise extreme set of
conditions. This isn't meant to impugn the skill of the researcher, just to
point out how amazing it was that such a bug could exist in the open. I wonder
if any analysis was done to figure out how many customers (good and bad)
specified cross-domain redirects for sitemaps. Should have been easy to
calculate, I assume.

------
dannyw
Looking at the bounty amounts, this is insane. If you find a bug that allows
you to take over a Google account, through "Logic flaw bugs leaking or
bypassing significant security controls", the _maximum_ payout is $13,337.

Sorry Google, but you should be paying $1,333,337 for that.

------
iamben
I'm with pretty much everyone else here. As symbolic as $1337 is, this is
worth far more.

That said, if one had taken advantage of this, what legal repercussions could
or would you face? I mean, technically I can't see anything _illegal_ here,
albeit unethical. Assuming you wanted to, isn't this just playing the system?

~~~
TomAnthony
I have discussed this with a bunch of people (and there is a discussion on
Twitter right now [0]), and it seems quite unclear whether it would be
illegal.

It would certainly be unethical, and if it is illegal it may mean many other
shady black hat SEO practices are also illegal. I really have no idea though -
would be interesting if there is a lawyer reading to hear any thoughts.

[0]
[https://twitter.com/thetafferboy/status/981883506350608385](https://twitter.com/thetafferboy/status/981883506350608385)

~~~
iamben
It's pretty fascinating. I can't think of anything similar...

------
thogenhaven
This is really great research. I don't understand howcome Google didnt react
sooner. It's the biggest black hat exploit I have seen in years.

~~~
gldnspud
I was wondering this too. If the researcher was playing by the same rules that
Google does with vulnerability disclosure, the post would have gone up months
ago regardless of whether Google had fixed it yet or not.

------
maxehmookau
$1337 is a joke. This bug is worth so much more than that in potential lost
revenue to Google!

~~~
jackweirdy
\+ lost value to the victim, who are essentially paying an attackers bill for
them

------
eganist
There's nothing on the VRP which effectively covers business logic
vulnerabilities. Realistically, this would be precisely why such a category
would be needed.

Closest I can fit it into within their existing scheme is:

> Logic flaw bugs leaking or bypassing significant security controls -- Other
> highly sensitive applications [2] -- Vulnerabilities giving direct access to
> Google servers

But that's a stretch, and the payout is still atrociously low for the value
you could've squeezed out of it, potentially legitimately (millions).

TomAnthony, in your position, I'd keep making a stink here and possibly even
see what other quirks you might find in PageRank and just pocket them for now.
I've reached out to some old members of the VRP team to see if they can shed
any light on whether the VRP can be tuned a bit in response to this, but you
certainly should've gotten more.

~~~
TomAnthony
Thanks for your insights. I actually considered the same spot in the matrix as
best fit, but also identified this sort of 'business logic' isn't a good fit
anywhere in the matrix.

I'm British so not good at kicking up a stink! However, it is Google's VRP,
and they are under no obligation to give anyone anything, so am not sure I
have grounds to do so anyway. As I've said elsewhere, it is just hugely de-
motivating and a disincentive (for both me and others) for similar research in
future.

I think it would be a great addition to the VRP for them to include things
affecting the core algo (their main product), but imagine it would be tricky
to do without also getting a huge number of very tenuous reports.

------
will_critchlow
Has anyone ever heard of another case like this? I've been following search
pretty closely for most of Google's existence and this is the only bug bounty
payout I've ever heard of for a blackhat core algo exploit.

[Disclaimer: Tom's a colleague of mine at Distilled where I'm a founder]

~~~
x0x
[https://www.google.com/about/appsecurity/research/](https://www.google.com/about/appsecurity/research/)

But they don't list any bounty rewards there. Tom should be on this list too,
this could land him a nice job.

------
yAnonymous
As others have said, $1337 for such a bug is pathetic.

The point of a bug bounty is to give researchers an incentive to report bugs
rather than sell or abuse them. This does exactly the opposite for me.

~~~
exikyut
This is being downvoted but it's so true. Google just clarified the value they
place on advanced (aggressive) SEO techniques/exploits.

------
dnial02
$1337 bounty is a symbolic number to signify the receiver is an elite hacker.

So, it's the meaning that counts, not the amount.

edit: source:
[https://en.wikipedia.org/wiki/Leet](https://en.wikipedia.org/wiki/Leet)

~~~
jaclaz
>So, it's the meaning that counts, not the amount.

Still, I believe that a more heavily accented/long "e", like in $13337 would
have been graciously received ...

~~~
Cthulhu_
Or 31337, the long form of 1337

------
VikingCoder
Set up a Patreon and a Donate button.

I wish Google had paid you more, but maybe the people in this thread will put
their Money where their Outrage is, and thank you themselves.

------
jakear
A commenter (@ivan2kh) raises a good question... what happens if you submit
"evil.xml" on
"[https://www.amazon.com/clouddrive/share/xxx"](https://www.amazon.com/clouddrive/share/xxx"),
or similar? Any host that allows user submitted files, and hosts them under
their domain, could be exploited right?

~~~
nsgi
Serving user-submitted files from your main hostname is generally a bad idea
because of the risk of XSS vulnerabilities. On Amazon cloud the content is
served from the subdomain. Though it does raise a good point as a content
domain/subdomain for a large website/service may have an impressive pagerank
that could be exploited.

~~~
jakear
archive.org hosts with URL's like
"[https://archive.org/details/myfile.xml"](https://archive.org/details/myfile.xml").
They must have good pagerank for anything storage related. Perhaps a cloud
storage service could use this exploit?

------
wallace_f
Receiving 1337 $s from Google is awesome, but that bug bounty should have been
higher.

------
foobaw
Although I agree that $1337 is definitely WAY too low, it's also someone's job
to budget this and minimize payouts.

To Google, 100k is nothing and in good faith, they should definitely reward
more, but when it ties into someone's KPI, it will be tough to get more.
They'd have to work with PR to understand the tradeoffs, etc.

------
kerng
Wow, this is a great find with enormous potential impact. Kudos!

The payout from Google seems very low, this bug took their core business model
on a ride.

Cool find!

------
hartator
Great work, and kudos for reporting it.

It’s worth noting that Google took 5 months to fix, and almost discard it a
couple of times.

------
wilun
The bounty is incredibly low.

------
shipnever
I hope you made yourself significantly more money out of this than $1,337...

~~~
TomAnthony
Alas, not. I thought the bounty would be larger, but I'd have reported it
anyway due to the damage it could do to legitimate businesses being pushed out
of the results. You can't do this sort of research and rely on a specific
bounty payout.

