Hacking Google: The three Israeli white hats rooting out the web's security holes

Three Israeli hackers have been among the most prolific hunters in Google's bug bounty program - but they still trust the company with their data.

Written by David Shamah, Freelance EMEA blogger on Oct. 12, 2012

If you've been trusting the cloud with your data, three Israeli hackers have a message for you: the cloud isn't safe. It really, really isn't safe.

How unsafe is it? "It's so unsafe that I refused to put a credit card on PayPal until I was able to personally test their security," said hacker Ben Hayak. "And it's a good thing I didn't because they really had a major security hole, which has since been closed."

Hayak was able to check PayPal's cloud security thanks to the company's "bug bounty" programme, which pays hackers to search out security vulnerabilities on its site.

Security, according to a recent blog by Paypal's chief information security officer Michael Barrett, has to be at the top of the agenda for any company that does business in the cloud, "but we realise that no company can do it all alone".

Instead, the company began working with 'white hat' hackers – the 'good guys' of the hacking world – to discover security lapses in XSS (cross site scripting), CSRF (cross site request forgery), SQL injection or authentication bypass.

"I originally had reservations about the idea of paying researchers for bug reports," Barrett wrote in the blog, "but I am happy to admit that the data has shown me to be wrong – it's clearly an effective way to increase researchers' attention on internet-based services and therefore find more potential issues."

Paypal is actually one of the latest cloud companies to grasp the wisdom of putting the hacker community to work for you, instead of against you. Other companies with similar programmes include Facebook, Mozilla, and Twitter, but the first to formally work with hackers was Google, which has been running its bug bounty programme (officially called the Vulnerability Reward Program) since late 2010.

Since then, hundreds of hackers have uncovered perhaps thousands of security vulnerabilities in Google code, across the company's full range of properties, from Gmail to Google Docs to Blogger.

Israeli white-hat hackers have been among the more active in the Google programme; Hayak and hacker Shai Rod were rated among the top discoverers of security bugs for Google during 2012, and hacker Nir Goldshlager is number four on the list of all-time hackers on Google's 0x0A list, based on the number of bugs discovered and the amount of money paid out by Google.

All three work at Israeli security company Avnet, which, among other things, tests enterprise websites in Israel for vulnerabilities. The Google work is a sideline for the three hackers – but a very lucrative one that has earned each several thousands of dollars, given that Google pays between $500 and $3,000 for each bug discovered.

The three white hats have each earned that kind of money despite the fact that hundreds of hackers around the world participate in the programme – Google is so large, there are more than enough security lapses to go around.

"Recently, Shai showed us how to get control of a Google server by playing with Google Calendar," said Hayak. "We were also able to get into Google servers via Gmail, and when we hacked into Google's Blogger.com, we were able to find the code that made us admins on all of the service's blogs." The three did not need sophisticated root kits or under-the-hood Unix scripts to find these vulnerabilities: "We were able to do all this by directly engaging with the service itself," Hayak said.

All three say they have always been white-hat hackers and have never been on the 'dark side' - but the programmes by Google and others do attract black-hat hackers as well.

"I know of several cases in which a hacker found a vulnerability and sold it on the black market to a criminal gang, and then turned around and reported it to Google," said Goldshlager.

That's one reason he trusts Google with his data – to the extent that he now even uses Gmail. "With so many people working on finding the vulnerabilities in order to collect the reward, any existing problem is going to be discovered very quickly, so even if the wrong elements get wind of a vulnerability, the damage they are going to be able is going to be limited," he said. In fact, added Hayak, Google decided to institute the programme after Chinese hackers were able to get into accounts of dissidents in 2010.

Since then, the number of security incidents for the company has gone down significantly, Hayak said. Still, the cloud is a scary place. "I don't trust it," said Rod, the third member of the Avnet hacker team. "You get what you pay for, and if you are getting free services, you have to put up with a lot of intrusion."

Security for free and paid-for accounts is the same – or starts out the same, said Rod – but somehow companies seem to feel they have a bigger obligation to ensure the safety of their paying customers' data. "It's not even about the security, it's about the privacy," he said. "I am sure that if many people read the TOS [terms of service] on many free web services, they would think twice before accepting." And the more opportunity for a company to invade account users' privacy (like sweeping their information in order to better target them with ads), the more opportunity for a security bug to develop.

As far as the hackers are concerned, the situation at Google and the other services that have bug bounty programmes is better than at companies that don't, said Hayak.

"I can't tell you about security in the App Store or at Amazon because I have no legal way of testing their defences," he said. "But the fact that Google, Paypal, and the others that have bug bounty programmes are willing to let people like me test their systems shows that they are serious about security."