Hacker News new | past | comments | ask | show | jobs | submit login
Google bug bounty for security exploit that influences search results (tomanthony.co.uk)
246 points by TomAnthony on Apr 5, 2018 | hide | past | favorite | 67 comments

Google should be ashamed of themselves for this meaningless, token “make ourselves feel good” payout. They have straight up exploited the reporter of the exploit.

This could have been used to make millions and they took advantage of the reporter’s good faith and benevolent motivations.

Google, this is worth at least $1,0000,000 to you guys, and even more, in lost revenue, plus the impact of what gaming your search algorithm would have cost and damage to your reputation. Stop taking advantage of people.

Give this man what he deserves!

They are not setting a very good precedent with this that's for sure. Not everyone will be as white hat as this guy and opt for a little more value. Would this have been even an illegal thing to do per se? Could companies have sued him for lost profit? Anyway even 100k would have been nothing to google. You shouldnt try to be cheapskate with this.

> they took advantage of the reporter’s good faith and benevolent motivations.

Someone with truly benevolent motivations does good things because they believe it's the right thing to do -- not because of a monetary reward. I'm not saying they shouldn't pay him more, but I think it's going a bit far to say they're "taking advantage of him".

If I find a wallet on the ground and there's $200 cash in it, I'll return it to the owner and leave all the money there. I don't expect a reward and certainly don't feel like I'm being taken advantage of if they don't give me some of that $$.

Yeah, but you might feel differently if instead of $200 it had $10m cash. And instead of accidentally coming across it on the ground, you spend months of your own time just walking the streets looking for such a wallet to return. And also the owner is one of the richest men in the world.

I'm not suprised at all that Google rewarded this low. This is why they are always be more blackhat SEO then reporters. Because companies are too cheap to realize how valuable this discoveries are. They are getting too greedy. I agree 100% that this should of been at least $1,000,000 if not much more. If this contenues google could be the next Facebook ^_^ Lets use DuckDuckGo instead everyone ;-)

Good point. Google probably argued its just an Open Redirect, whereas its an elevation (in the site ranks) with immediate impact on site owners. Hope Google makes this right for the finder and hands out an elevation payout (it's possible to bend your own rules, I doubt this kind of finding is in their typical payout matrix)

Yeah, I'm not sure how well it fits in their matrix, though they do have a column for:

This category includes products such as Google Search

But it is probably intended to mean the front end of it, rather than the ranking algorithm.

There is definitely an asymmetry between the entity that posts a bug bounty and the hunter of that bounty. It's the principal-agent problem: The entity that posts the bounty is also the same agent that decides whether to hand out the bounty or not. The bounty in most cases is variable so it's in their best interest to make some attempt to withhold the bounty by arguing for a lower-valued classification or no classification of the bug.

Perhaps it would make sense for a third-party "bounty escrow" agency to exist. The escrow agency may be able to provide impartial arbitration of the exploit, and this may have the side effect of coming to a decision faster and promoting a quicker actual bug fix for the end-users.

His console says 33.2k of ad buys. I'd say it's worth at least that much to them.

It's literally their numbers spitting out how much it would have cost!

But hey, at least it's Leet.

$31337 should have been minimum payout. Think of the software download rankings..

It was a SEMRush screenshot, not related to Google, so it wasn't their numbers.

Apologies. Definitely an estimated start.

Well I don’t know if it lost (Google) revenue (interested in understanding how if actually so? maybe missing something), but yeah it was definitely worth a lot of money to anyone who knew of it as a 0-day, and would have been lost traffic/revenue for the serps being bumped down.

This is a pretty cool exploit.

@TomAnthony, This is f*up, google should of given you at least $1,337,000 bounty for this. This is one of the most profitable exploits I've seen discovered by anyone. Plus you've done the right thing and reported it. Good job on this discovery!

"I have a couple of other ideas for search related attacks, but am not sure I'm going to explore them any longer."

You're valuing yourself way too low. You've done a good job with this and should receive more bounty for it. Also see if you can earn more for doing research else where; https://www.bugcrowd.com/bug-bounty-list/ Also maybe use something like; https://www.hackerone.com/

To answer a few FAQs I've had over the last few days:

- I've not seen a confirmed use of this in the wild yet, despite a few people emailing me stories where they suspect it.

- I am unsure what is with the bug bounty amount. I think either:

  1) The various teams didn't communicate well about the impact until after the award,
  2) I haven't fully understood the bug, however as per VRP rules I stopped when I had "discovered a potential security issue", at which point "The panel will consider the maximum impact". It may be I've not understood the impact fully.
  3) They want to discourage SEO type research as opposed to pure security research, but I doubt that is the case and it doesn't match up with my previous dealings with the team.
- There are a few technical details not in the article (for example I believe the sitemap has to be an sitemap index file), but nothing that greatly changes it.

- If you are concerned you are affected, I'm happy to take a quick look at your data for free (tom.anthony@distilled.net) to see if I have any insights.

- The best/only way to detect this being done to you is to find the 301/302 redirects for the sitemap in your server logs.

Google doesn't issue rewards for SEO tricks. My guess is your sitemap redirection trick could be used to leak data about the victim site (search terms, traffic stats, malware urls), or to do other privileged actions on behalf of the victim site now the two domains were linked (for example sign up for google apps or trigger rate limits DoS'ing the victims ability to use certain API's)

Perhaps. We could argue the semantics of it, but it feels within the spirit of the VRP. It directly impacts the secure and correct functioning of a (the!) core Google service.

The VRP page [0] talks about the "maximum impact" and this impacts users and advertisers, as well as businesses relying on organic Google traffic.

However, I take your point - I'm aware this is not a typical sort of issue for a bounty.

To reiterate - I am grateful to Google that they run the bounty programme and that they awarded a bounty for this. I've previously reported several issues (e.g. [1]) that have not been rewarded any bounty, which is the nature of the programme and absolutely fine.

[0] https://www.google.com/about/appsecurity/reward-program/ [1] http://www.tomanthony.co.uk/blog/confirm-google-users-email/

I’ve worked at other companies in teams that take these security reports in. There’s no excuse for their long delays in response, you showed them clear abuse immediately. I wish you would have given them the tavis experience. Next time use Google’s own terms, with a set date on when you will publish to put pressure on them. They do this to others and need to be held to the same standards.

Nice work! It is amazing how a bug that so many people don’t care about (open redirects) could have been exploited Google’s prime income generator.

If nothing else, you can use this as a nice gem on your resume, which can help you get more interviews or better paying jobs in the future.

$1337 is not enough money. A bug like this if used secretly and correctly could have made millions easily.

I think if it worked more broadly (I couldn't test without risk at that point) you could make decent money off of this just through affiliate programs.

I've been doing research like this for 5+ years, and you go in knowing most if it won't lead to anything. I'd hoped for more, but I could have simply failed again and got nothing! :)

As I've said below, I'd have reported it anyway even without a bounty; however I probably wouldn't have done the research in the first place were there not a bug bounty programme.

I've previously had 2 bounties from Google. One was an easy find and was also $1337. The other was more technical but still straight forward and also played to SEO and got $5000 - in that instance Matt Cutts was involved and I believe advocated for the amount (thanks, Matt!). This was far more impactful than that other issue, and more directly monetisable.

I do have to ask...were you at all tempted to try to monetize this? The guys in the BHW thread aren’t wrong about the potential. I applaud you for taking the high road, I’m just curious if the thought of giving away probably low six figures/day for $1337 nags at you at all.

It is a good question. I wouldn't have monetised this and would have still report it, because doing so would hurt legitimate businesses (by pushing them out of the results).

However, I have to admit it does nag at me a bit that the bounty is so small - it is like they are trying to send a message but I'm just not sure what it is!

I have done loads of research over the last 5 years (this exploit took me a couple of months to craft) and most comes to nothing, and then when I do find something big that the bounty is so small is frustrating. A bigger bounty would have made a meaningful difference to me (kids+no savings!).

The broader issue is how this may play to motivating people to discover/report these sorts of issues in the future. I have a couple of other ideas for search related attacks, but am not sure I'm going to explore them any longer.

This is a straight-up 100k-500k bug. If I were to discover this bug and know I'd only get $1k and be a "good guy" vs. getting millions, well...

The fact is that these bug bounty programs should start paying competitive prices. They can lowball it by 10x-20x at most, but lowballing by 1000x leads to people just giving up their ethics.

Almost as if a bug bounty program should show the effect of the bug before explaining how it works. Then, Google will be more inclined to pay more if it wants the info on how the bug works.

The cybersecurity research community should solicit some sort of endowment, like a Nobel Prize, that goes to deserving WH bug discoveries each year.

Uncovering bugs that aren't attached to bug bounty programs still has external benefits for the security community.

Thanks for your work here, even without such a program.

The broader issue is how this may play to motivating people to discover/report these sorts of issues in the future. I have a couple of other ideas for search related attacks, but am not sure I'm going to explore them any longer.

Agreed. Relative to the value of exercising this exploit, your bounty is missing a few 0’s at the end. I hope that you at least get some professional credit for this, and that it translates to a financial boost. You certainly deserve it for discovering something like this and doing the right thing with it.

Can you explain how you can make millions with this?

Maybe not millions, but you could make a decent chunk of money in a number of ways. The obvious 'easy' one would be to spin up affiliate sites and rank quickly and easily for competitive terms (with a site that does not deserve to rank), by hijacking the equity (PageRank essentially) of one site and using it to rank in another region.

For example I could leverage the equity of a US made second hand car marketplace and to rank my site in the UK and list UK Autotrader listings on my site. They have a nice affiliate program for clicks/leads.

Alternatively, I may only operate in one country but I could 'top up' by equity by leeching it from a company in a similar niche in another country. My competitors in my home country would be at a loss to how I'm ranking so well.

It should be noted that there are a number of parameters that may change between my initial experiment and these uses, so we'll never know how viable it really was.

There are a number of people lamenting about this 'missed opportunity' (and calling me some colourful names!) here:


And republishing the article in full! Some people got no class.

That’s really epic :)

You could absolutely make millions off this. Getting to Google's fist SERP for popular terms gives you huge amount of very high quality, free traffic. Once this traffic lands in your site, you can use either CPM ads, sell the traffic on CPC basis or just redirect through affiliate links to the searched product. It will be HIGHLY profitable since the traffic is essentially free.

You could make tens of millions if you stayed under the radar for long enough. There are hundreds of ways to monetize this.

This is an incredible bug, not just for its severity, but for its relative simplicity. And of course because it targets one of the most ubiquitous and popular and ostensibly secure software interfaces ever.

Also very interesting how long it took for them to figure out a solution. The bug report was filed and acknowledged in late September. According to the author, Google struggled with how to fix the issue for several months, even though the fix seemed simple ("don’t follow cross-domain redirects for pinged sitemaps").

Seemed simple. If legitimate customers do that too, it suddenly is not so simple.

To clarify, by "simple", I meant that the bug was discoverable, exploitable, and testable by Google's own public interface -- i.e. didn't require the researcher to break into anything, or find an otherwise extreme set of conditions. This isn't meant to impugn the skill of the researcher, just to point out how amazing it was that such a bug could exist in the open. I wonder if any analysis was done to figure out how many customers (good and bad) specified cross-domain redirects for sitemaps. Should have been easy to calculate, I assume.

Looking at the bounty amounts, this is insane. If you find a bug that allows you to take over a Google account, through "Logic flaw bugs leaking or bypassing significant security controls", the maximum payout is $13,337.

Sorry Google, but you should be paying $1,333,337 for that.

I'm with pretty much everyone else here. As symbolic as $1337 is, this is worth far more.

That said, if one had taken advantage of this, what legal repercussions could or would you face? I mean, technically I can't see anything _illegal_ here, albeit unethical. Assuming you wanted to, isn't this just playing the system?

I have discussed this with a bunch of people (and there is a discussion on Twitter right now [0]), and it seems quite unclear whether it would be illegal.

It would certainly be unethical, and if it is illegal it may mean many other shady black hat SEO practices are also illegal. I really have no idea though - would be interesting if there is a lawyer reading to hear any thoughts.

[0] https://twitter.com/thetafferboy/status/981883506350608385

It's pretty fascinating. I can't think of anything similar...

This is really great research. I don't understand howcome Google didnt react sooner. It's the biggest black hat exploit I have seen in years.

I was wondering this too. If the researcher was playing by the same rules that Google does with vulnerability disclosure, the post would have gone up months ago regardless of whether Google had fixed it yet or not.

$1337 is a joke. This bug is worth so much more than that in potential lost revenue to Google!

+ lost value to the victim, who are essentially paying an attackers bill for them

There's nothing on the VRP which effectively covers business logic vulnerabilities. Realistically, this would be precisely why such a category would be needed.

Closest I can fit it into within their existing scheme is:

> Logic flaw bugs leaking or bypassing significant security controls -- Other highly sensitive applications [2] -- Vulnerabilities giving direct access to Google servers

But that's a stretch, and the payout is still atrociously low for the value you could've squeezed out of it, potentially legitimately (millions).

TomAnthony, in your position, I'd keep making a stink here and possibly even see what other quirks you might find in PageRank and just pocket them for now. I've reached out to some old members of the VRP team to see if they can shed any light on whether the VRP can be tuned a bit in response to this, but you certainly should've gotten more.

Thanks for your insights. I actually considered the same spot in the matrix as best fit, but also identified this sort of 'business logic' isn't a good fit anywhere in the matrix.

I'm British so not good at kicking up a stink! However, it is Google's VRP, and they are under no obligation to give anyone anything, so am not sure I have grounds to do so anyway. As I've said elsewhere, it is just hugely de-motivating and a disincentive (for both me and others) for similar research in future.

I think it would be a great addition to the VRP for them to include things affecting the core algo (their main product), but imagine it would be tricky to do without also getting a huge number of very tenuous reports.

Has anyone ever heard of another case like this? I've been following search pretty closely for most of Google's existence and this is the only bug bounty payout I've ever heard of for a blackhat core algo exploit.

[Disclaimer: Tom's a colleague of mine at Distilled where I'm a founder]


But they don't list any bounty rewards there. Tom should be on this list too, this could land him a nice job.

As others have said, $1337 for such a bug is pathetic.

The point of a bug bounty is to give researchers an incentive to report bugs rather than sell or abuse them. This does exactly the opposite for me.

This is being downvoted but it's so true. Google just clarified the value they place on advanced (aggressive) SEO techniques/exploits.

$1337 bounty is a symbolic number to signify the receiver is an elite hacker.

So, it's the meaning that counts, not the amount.

edit: source: https://en.wikipedia.org/wiki/Leet

>So, it's the meaning that counts, not the amount.

Still, I believe that a more heavily accented/long "e", like in $13337 would have been graciously received ...

Or 31337, the long form of 1337

Yeah, the amount is quite geeky. For those interested in the other amounts they award (based on a matrix of severity and which part of Google):


The disclosure of the exploit signifies the status of the hacker. The amount of the award is a slap in the face that is entirely disproportionate to the value of the exploit.

It’s likely infantilising to any serious security researcher, an incentive for “script kiddies”.

Set up a Patreon and a Donate button.

I wish Google had paid you more, but maybe the people in this thread will put their Money where their Outrage is, and thank you themselves.

A commenter (@ivan2kh) raises a good question... what happens if you submit "evil.xml" on "https://www.amazon.com/clouddrive/share/xxx", or similar? Any host that allows user submitted files, and hosts them under their domain, could be exploited right?

Serving user-submitted files from your main hostname is generally a bad idea because of the risk of XSS vulnerabilities. On Amazon cloud the content is served from the subdomain. Though it does raise a good point as a content domain/subdomain for a large website/service may have an impressive pagerank that could be exploited.

archive.org hosts with URL's like "https://archive.org/details/myfile.xml". They must have good pagerank for anything storage related. Perhaps a cloud storage service could use this exploit?

Receiving 1337 $s from Google is awesome, but that bug bounty should have been higher.

Although I agree that $1337 is definitely WAY too low, it's also someone's job to budget this and minimize payouts.

To Google, 100k is nothing and in good faith, they should definitely reward more, but when it ties into someone's KPI, it will be tough to get more. They'd have to work with PR to understand the tradeoffs, etc.

Wow, this is a great find with enormous potential impact. Kudos!

The payout from Google seems very low, this bug took their core business model on a ride.

Cool find!

Great work, and kudos for reporting it.

It’s worth noting that Google took 5 months to fix, and almost discard it a couple of times.

The bounty is incredibly low.

I hope you made yourself significantly more money out of this than $1,337...

Alas, not. I thought the bounty would be larger, but I'd have reported it anyway due to the damage it could do to legitimate businesses being pushed out of the results. You can't do this sort of research and rely on a specific bounty payout.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact