Two Indian hackers have won a cash prize of more than $22000 in bug bounty after they found major flaws in Google Cloud Program (GCP) projects.
Two Indian hackers have won a total cash reward of more than $22000 as bug bounty from Google. Bug bounties are rewards, usually cash prizes, given by major tech companies to individuals who identify an error or vulnerability in their computer program or system. These particular bug bounties were awarded by Google to the Indian hacker duo for finding major security vulnerabilities in its Google Cloud Program (GCP) projects. Among them, the biggest bounty was a server-side request forgery (SSRF) bug and subsequent patch bypass which earned them a cool $5000.
The two Indians who won the bounties are Sreeram KL and Sivanesh Ashok who are both part of Google Vulnerability Rewards Program (VRP). Sivanesh also posted a blog detailing the bugs and how they came across them. Posting about it on Twitter, he said, “A write-up about how
@kl_sree and I found a bug in Google Cloud that allowed us to takeover a victim’s compute engine VM”.
Indian hacker duo find vulnerabilities in Google
The SSRF bug is especially a dangerous vulnerability to have. By abusing this vulnerability, hackers could trick victims into opening malicious links and take control of their GCP projects remotely.
Sivanesh pointed out in his blog, “Since there was no random token or CSRF protection, anyone could craft a link and send it to a Compute Engine user to create a new user in their instance…making a victim open a malicious link would add the attacker’s username and SSH key into their computer”.
However, people do not need to worry about it as after the security risk was flagged, Google has released a patch that takes care of the issue. Alongside, the two Indians also uncovered a bunch of more vulnerabilities.
Speaking with Daily Swig, Sreeram said, “While finding this issue, we gained insight into the workings of managed GCP products, which helped us find other bugs in GCP”.
What is Google VRP
Google Vulnerability Reward Program (VRP) is a formal process to reward the contributions from external security researchers towards finding out security risks and providing patches for them. As long as a security researcher follows the guidelines of Google, anyone can participate and flag a vulnerability and get a reward from Google.