Google Security Reward Program Honorable Mention

Posted by admin on Mar 20, 2011 in Bugs, Google Vulnerability Rewards, WebAppSec, XSS |

Google Securtiy Well I finally made it onto the Google Security Hall of Fame. (Honourable Mention section of the page)

In fact my details got added¬† while back, however I haven’t had the time to update the blog.

The issue that got me on there was a cross site scripting issue (Self XSS in this case) in the invite functionality of Google Chat.

Google Chat is used throughout differing Google sites and all them looked like they were vulnerable; However upon checking the cookie returned it would seem that the issue lay not in the translation site or IGoogle as first thought but with GoogleUserContent which is not a site eligible for a reward.

I’d like to thank Adam Mein from the Google Security Team for all of his help and patience in the two and throw of helping to confirm and then assist in getting the issue fixed.

As everyone seems to like pictures I’ll link to a couple of them here

XSS 1

XSS 2

As for the arguments for and against paying for bugs. I’ve still not changed my stance, I’m all for it although my reasons have changed.

I have recently found a new bug in Chrome which would allowed an attacker to run injected code (Javascript / HTML / CSS etc read XSS) into any chrome browser upon visiting a site. One thing to note about this new issue is that this is not a site problem which is the case with virtually all normal XSS issues. In this case the issue is with¬† Chrome. I won’t go into the issue any more just now as it’s not yet fixed. however had I not already built up a relationship with Google I would most likely have gone to Tipping Point or other types of Bug Auction Sites.

So from my point and hopefully Google’s the program is a sucess due to the new relationships it creates between bug reporters and fixers.

Lastly here is a nice document from the Goggle security team talking about the success of the reward program.

Martin Hall

The Test Manager

 

Reply

Copyright © 2012 The Test Manager Blog All rights reserved. Theme by Laptop Geek.