I think if I were an outsider I would’ve probably gotten pretty shy just after discovering an internal SSRF at a big corp. However, that also probably explains why I am not a security researcher.
Am I reading this right? 13,337 for a unrestricted file access vulnerability? Seems rather cheap, I think even other interested parties would pay more :/
It was treated as an unrestricted file access vulnerability. I don’t want to accidentally disclose any non-public information (as an employee of Google) so I’ll just say I suspect there wasn’t really a ton more to see other than status and debug pages. Not to downplay the value of such a vulnerability, just saying that with defense-in-depth risks like this should be relatively well contained. It sounds like they got access to some confidential operational information but were nowhere near user data, and there was no obvious path to get there without much worse vulnerabilities.
Interns contribute a lot of value - they don't run around making coffee. Being an intern makes it much more likely to get an FTE role too which is more than most 18 year olds.
If by rewarded you mean comp, then yes I'm very happy with it for my age. Given the situation outside - just grateful to have a job right now.
I chose this over university - I get paid and am working towards a CS degree as part of the work. Granted, am not an intern (I'm something different) but I understand they are well paid at FAANG companies and the experience is the same.
If the work you do is valuable then it deserves a comp that matches a full time workers rate.
Also, we work in computer science and a for a vast majority of developers it's business as usual. So I wouldn't say that it's particularly generous or lucky.
Oh I agree, but I'm here to learn more than anything. And I'm certainly not underpaid compared to market.
Before this current job I hadn't worked as a professional (outside of minor freelance work in my home town) so I see this as bootstrapping a career with zero student debt, plus there's perks like travel opportunities and accelerated career growth which I couldn't easily get elsewhere.
> Also, we work in computer science and a for a vast majority of developers it's business as usual. So I wouldn't say that it's particularly generous or lucky.
I was lucky enough to be born into a good family, where I could learn the skills to be where I am today, no?
Google interns get paid a pretty decent amount (about as much as I was working as a full-time systems analyst for my city government, apparently). Unless they can find a vuln like that a month, they were probably paid better by Google.
Not a googler/xoogler, but if if FILE_GOOGLE3_ACCESS means what I think it means.... Yikes! (Especially since FILE_GOOGLE3_READ_ONLY_ACCESS is a separate permission, that implies the possibility of writes, but even read-only access is not something Google would want a random outsider to have.)
And that is almost surely only a tiny subset of what could be done via the the whole run with arbitrary permissions thing. Most of the other don't jump out as me as much as that one does, but I may just not recognize the significance of some of the permissions.
It is interesting that he could only make it work in the non-production environment, but I'm not sure if that would actually limit the capabilities meaningfully.
My guess is the "independant discovery 1 hour earlier" wasn't truly independent.
I'd guess that by messing with this stuff, it probably broke some internal systems that ended up firing alerts to engineers internally. Those engineers then 'discovered' the bug, and started fixing it.
Most systems at scale are designed to reject bad input, log it, but nobody takes any action.
A few systems have to process every record in order. For example, the billing system might go through every entry in a database table and add them to bills. If just one entry is malformed in some way and can't be added to the bill, it is retried. If there isn't success after a few retries, the whole process fails, and an engineer is paged to sort the problem.
I saw this kind of thing multiple times... You think you have fully sanitized every input, but someone always finds a way to add a 30 gigabyte surname to the addressbook, choose a profile image with negative dimensions, have a million devices share the same mac address, etc.
Note the timeline says this occurred in early 2018. The $7.5k is the reward, the bug itself was with Google Cloud API management and could theoretically allow users to enable billable APIs without enabling billing, or to access private APIs or to disable APIs for third-party projects.
It seems fairly safe to assume someone has already snapped this guy up. I can't recall the last time I felt so impressed reading some security writeup