

Don't Be Evil? - r-shirt
http://joshcuppett.com/posts/dont-be-evil.html

======
kllrnohj
> You don't need to treat me like the bad guy when I'm clearly not exploiting
> you.

I'm not seeing where Google treated him like a "bad guy"? It sounds like he
was expecting Google to sing his high praises, which of course didn't happen.
The bug bounty payout also has qualifications that the author didn't come
remotely close to meeting ( [http://www.google.com/about/appsecurity/reward-
program/](http://www.google.com/about/appsecurity/reward-program/) ), so I
have no idea why he expected he should get paid.

By his own admission he doesn't know how the attacker got access to his
account, nor where the $20k came from. So what vulnerability did he find? I
guess Google's failure here was to protect the author from his own lax
security.

------
vizzah
I failed to follow how author introduced "attacker" to this story, when there
are no visible suggestions, only his own old credit cards on file, to which he
didn't incur any charges and all that must have happened due to routing
mistake crediting someone's funds to his account. Something which must have
been rectified very quickly even without author noticing.

------
rgbrenner
_Obviously someone has an exploit of adwords that can add credits to accounts
without paying for it, and it appears to involve closing and re-opening
accounts with expired credit cards._

This point is so obvious that he doesn't bother explaining any further. There
was a billing mistake in his account, so therefore there must be an exploit of
some kind.

There are other explanations for a billing mistake, but apparently they don't
bother consideration.

------
TomAnthony
I disagree with some people here. If this _was_ an exploit that had an
attacker (as opposed to the various other explanations people are putting
forward) then reporting it to Google is obviously valuable to them, even if he
is unaware of how to replicate the exploit. He would

a) make them aware of the problem b) give them enough of a start to work out
what is happening.

So I'd suggest it is worthy of being rewarded if not by the exact rules of the
program, at least by the spirit of it.

However, I seriously doubt this is really what happened - he makes a lot of
leaps without any corroborating evidence. I am very sure this isn't Google
trying to 'screw' the guy.

------
pastylegs
You reported the results of somebody exploiting your account, not an exploit.
Why would they reward a simple bug report?

~~~
rgbrenner
No, he reported a billing mistake. There's no evidence anyone exploited his
account.

------
droopybuns
:C

Can we please downvote this into oblivion? This guy thinks "Reporting a
vulerability" is synonymous with reporting that his account was hacked.

Vulnerability rewards programs incentivize security researchers to properly
disclose new attack techniques.

They do not exist to reward the reporting of account compromises.

r-shirt, why would this be useful to the hackernews community?

------
eli
I had a little trouble following that. Are you sure the bug you reported is
actually related to the $20,000 credit and not just a separate UI issue?

I'd be very surprised if allowing you to log in with an expired card somehow
also allowed you to make unlimited successful payments against that expired
card. It just doesn't really make sense. Seems like there is perhaps another
bug or something else altogether that is responsible for the $20,000.

------
steven2012
Allowing purchases with an expired credit card isn't really a bug, it's
sometimes a "feature". If it was valid when the credit card was added to the
account, and if a payment were made from it before it expired, it could have
subsequently been labelled as a recurring payment, and then the credit card
companies will often allow payments to go through, even after it expired.

~~~
jacquesm
> and then the credit card companies will often allow payments to go through,
> even after it expired.

False. The credit card companies will let the payment through based on the
number alone as long as you present an expiry date in the future. But it's
illegal to continue to charge past the expiry date of the card for recurring
payments _after_ the date that was entered when the subscription started, and
you're not allowed to change that expiry date yourself without the customer
presenting the card again, with the new expiry date. (It's really easy to
guess though, just set it 5 years into the future and that's a pretty good
stab at getting it right).

The reason why it works is because you'll get a new card, with a new expiry
but with the old number. Still, doing this is against the TOS. Easy to do, not
proper and very very bad form towards the customer and the card company.

Stuff like this can cost you your merchant account if a customer decides to
take it as far as they can. You are not just making charges on behalf of the
customer here, this is a form of fraud by the merchant.

------
corresation
Guy had no idea what the attack -- if any -- was. All he noticed was odd
activity on his account, which as easily could have been human error at
Google.

However as to his point that this is a massive imperilment of Google : Not
really. Google ads run on a bid system, so introducing fake money doesn't
actually reduce the amount of money Google actually makes, and may actually
increase it. I get $100+ AdWord credit offers from Google literally monthly,
because the effect of my credit is only that I push up the cost for everyone
else. Obviously there are limits to this (when advertisers simply bow up) but
unless the fraud was really widespread it wouldn't damage Google.

------
antsar
It would be interesting to see statistics on exploits sold in the black market
lately, since it seems like these companies (Facebook, Google) are doing a
thoroughly good job at pushing independent researchers to do just that. I'm
aware that the linked author wasn't a security researcher intentionally
uncovering a flaw, but the outcome still sends a similar message.

~~~
dsl
Such numbers are really hard to come by (or disclose publicly).

I can tell you that Google exploits on the black market are basically
worthless unless 1) it allows Gmail read/send access or 2) facilitates
emptying stolen cards in some way.

For other types of exploits (a Facebook login bypass, or Windows RCE for
example) are far more useful and the black market community really can't come
up with the funds to compete with corporate or government buyers.

------
cantbecool
He found a vulnerability, so "Pay him... Pay that man his money."

