Ezequiel Pereira, a high school student from Uruguay has been rewarded $10,000 after reporting a security flaw. This flaw could have been exploited by hackers to access and steal confidential data from google.
From his blog post, he asserted
I was”bored” one day, so I tried to find a bug in Google. I tried changing the Host header in requests to the Google App Engine server using Burp, a tool for testing Web application security.
Most of his attempts failed, mainly due to ‘404: Not found’ messages being returned to me, or that Google would check if I was using a Google employee’s account. However, when I tried another website, I found that it didn’t have any security measures. The page redirected me to ‘/eng,’ which to my surprise contained different sections about Google services and infrastructure.
Digging even deeper, I found something called ‘Google Confidential’ in the footer. With this discovery in consideration, I went ahead and reported the issue.
A few hours later, I received a response from the company, affirming the flaw. I initially didn’t think too much about the discovery.
“Cool, this is probably a small thing that isn’t worth a dime, the website probably had some technical stuff about Google servers and nothing really important”, He said
He was contacted again after some days. Google informed him that he will receive $10,000 through Google’s Vulnerability Reward Program (VRP) over his security report.