A high school student has received a $10,000 bug bounty award for reporting a security vulnerability in Google’s App Engine.
Back in July, 17-year-old Ezequiel Pereira decided to use the Burp Suite graphical tool to test the web application security of Google’s App Engine. He wanted to see if he could access pages protected by MOMA, a portal for only Google employees, without providing a legitimate Googler account. Towards that end, Pereira connected to a public Google service like www.appspot.com, changed the Host header in the HTTP request to a MOMA-protected page, and tested the request to see if he could view Google employee content without proper authorization.
The teenager recalls his work to exploit this security issue:
“Most of my attempts failed, either because the server returned a 404 Not Found, or because it had some security measure such as checking that I used a Googler account (firstname.lastname@example.org) instead of a normal Google account.
“But one of the websites I tried, ‘yaqs.googleplex.com’, didn’t check my username, nor had any other security measure. The website’s homepage redirected me to ‘/eng’, and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before I visited any section, I read something in the footer: ‘Google Confidential.'”
At that point, Pereira backed out and submitted a bug report to Google on 1 July. On 4 August, the tech giant responded with an emailing stating it had fixed the issue and had decided to award him $10,000 for reporting the flaw.
The high schooler was completely taken back. As he told The Register on 10 August:
“I just think it was a very simple bug and I didn’t expect the large bounty at all. Maybe I’ll learn how to invest it, maybe I’ll travel somewhere nice and do some tourism.”
Pereira is a Uruguayan student of computer science. He might be young, but he’s already built up a reputation for himself as a budding and capable security researcher. He even won Google’s Code-In programming competition for pre-university students back in 2015, earning himself a trip to the tech giant’s headquarters in Mountain View, California.
As Pereira’s story indicates, young people are the future of digital security. Some unfortunately choose to become digital attackers. Others like Pereira become security researchers or even start their own digital security companies.
It’s important that parents and the security community do everything they can to steer young people with an interest in computer security towards the path of positive/benevolent hacking. Here are some tips on how they can get started.