The 18-year-old student from Uruguay's University of the Republic discovered a critical remote code execution (RCE) bug in the system, which is a framework and cloud platform used for the hosting and development of web applications in Google data centers.
According to the researcher, in early 2018, they gained access to a non-production Google App Engine deployment environment in which the researcher was able to use internal APIs.
Every Google App Engine (GAE) application replies to HTTP requests with an "X-Cloud-Trace-Context" header. Appengine.google.com runs on GAE, and after some exploration, the researcher learned how GAE apps perform internal actions, including log writing and retrieving OAuth tokens.
However, in the Java 8 environment, internal actions were performed by sending Protocol Buffer (PB) messages to an internal HTTP endpoint. The response would be the corresponding PB message that represents the reply from the API, or an error message.
Security tickets could also be generated with crafted lines of code.
"Since this endpoint has access to some internal stuff, I was sure this must be related to whatever "appengine.google.com" uses for performing internal actions, but I could not find anything in the HTTP endpoint," the researcher explained.
The bug hunter then went on to upload a statically linked version of Nmap to GAE. This led to the discovery that port four was open, and after building a C++ client and running it on GAE, the researcher uncovered a gRPC service which was running an "apphosting.APIHost" API.
It seemed at this stage that the actions performed by the appengine domain were invoking hidden APIs. The researcher then created a Java library in C++ which reads arguments passed to launchers before returning them, leading to the discovery of API names including "logservice" and "stubby."
Through these scripts, the researcher was able to gain access to the staging and test GAE deployment environments, which are usually restricted and cannot be accessed by standard users.
A few tweaks to the gRPC client allowed the bug hunter to access stubby.
"After discovering this, I did some testing, but I was not able to find any stubby call that I considered dangerous," the researcher says. "Nevertheless, I reported this to Google and it got a P1 priority."
However, exploration continued, leading to the discovery of additional internal APIs including "app_config_service." These findings were also reported and Google asked the researcher to stop -- as there was a real risk that any more investigations into the APIs could break the system.
The university student was then awarded the large bounty for what Google considers a severe RCE bug.
"I was not aware until then that this was regarded as Remote Code Execution (The highest tier for bugs), it was a very pleasant surprise," the researcher added. "I asked one of the Googlers in the reward panel about it, and he told me it is RCE for the way Google works and also that the extra $5k (Since they pay $31,337 for RCE bugs) was for a lesser bug."
The initial report was made on 25 February. Google confirmed the findings and patched the security issue on May 16, 2018.
In January, Google awarded $112,500 to a bug bounty hunter for the disclosure of an exploit chain which could be used to compromise Pixel mobile devices.