A bored student from Uruguay recently hit jackpot as he tried to find ways to pass the time.
As Ezequiel Pereira himself explains in a blog post, he started to look for a bug in Google. At first he tried changing the Host header in requests to the App Engine server in order to gain access to some internal App Engine apps using Burp which is a tool for testing Web app security levels.
While most of his attempts returned a “404: Not found” message or resulted in Google checking to see if he was using a Google employee account, he did stumble upon an unprotected website (yaqs.googleplex.com). He was redirected to “/eng” which contained info about Google services and infrastructure. Even more interestingly, Pereira discovered something called “Google Confidential” in the footer.
It seemed important and easily accessible, so the student went ahead and reported the issue. A few hours later he received an email from Google confirming the vulnerability. While at first, Pereira didn’t think the discovery was worth a dime, Google followed up with an email a few weeks later informing him he will receive $10,000 through the Vulnerability Reward Program.
Why the large reward? Apparently Google found a few variants which could have potentially allowed attackers to access sensitive data. Since then, big G has fixed the issue.