Well I finally made it onto the Google Security Hall of Fame. (Honourable Mention section of the page)
In fact my details got added while back, however I haven’t had the time to update the blog.
The issue that got me on there was a cross site scripting issue (Self XSS in this case) in the invite functionality of Google Chat.
Google Chat is used throughout differing Google sites and all them looked like they were vulnerable; However upon checking the cookie returned it would seem that the issue lay not in the translation site or IGoogle as first thought but with GoogleUserContent which is not a site eligible for a reward.
I’d like to thank Adam Mein from the Google Security Team for all of his help and patience in the two and throw of helping to confirm and then assist in getting the issue fixed.
As everyone seems to like pictures I’ll link to a couple of them here
XSS 1
XSS 2
As for the arguments for and against paying for bugs. I’ve still not changed my stance, I’m all for it although my reasons have changed.
I have recently found a new bug in Chrome which would allowed an attacker to run injected code (Javascript / HTML / CSS etc read XSS) into any chrome browser upon visiting a site. One thing to note about this new issue is that this is not a site problem which is the case with virtually all normal XSS issues. In this case the issue is with Chrome. I won’t go into the issue any more just now as it’s not yet fixed. however had I not already built up a relationship with Google I would most likely have gone to Tipping Point or other types of Bug Auction Sites.
So from my point and hopefully Google’s the program is a sucess due to the new relationships it creates between bug reporters and fixers.
Lastly here is a nice document from the Goggle security team talking about the success of the reward program.
Martin Hall
The Test Manager
Posted by admin on Dec 8, 2010 in
Bugs,
Google Vulnerability Rewards Google Vulnerability Research Reward
Some of you may have heard that Google has recently launched a new programme to encourage responsible disclosure of security bugs in their products and websites.
This scheme is called the Google Vulnerability Reward Programme. You can read more about it on Google’s security blog
The basics are that anyone finding a “relevant” bug that could compromise the serurity or privacy of Google’s customers (that’s you & me) will receive a standard amount of $500.00 and if the bug found shows flair then Google may award upto $3,133.7 (spells eleet in hacker talk).
Now most people who try to find any bugs in Google will fail as their systems are some of the most widely used in the world and they can afford to hire the best of the best when it comes to Security Bods, System Testers (called Engineers in Test at Google) and also decent coders.
So we don’t therefore expect things to be easy, however I was surprised like many others to find quite a few issues.
Obviously I can’t post any details about the issues until Google give me the go ahead. However expect some posts in the near future.
The reward programme is a great way for System / Web Testers and Penetration Testers to try out a few things and learn something along the way.
One thing I will say is that Google are getting stricter on the issues reported that count
For example
I found a bug which allowed me to execute JavaScript (XSS) on virtually any of Google’s sites. However Google deemed that it was not really a bug as it would not really be exploitable in the wild. Meaning that you couldn’t send a link or embed the malicious code on a site and have it actioned.
I still thought it was a major issue XSS on nearly every Google domain however they think otherwise. Either way I’ll keep the method secret in case they change their minds.
So you have to find issues that are going to be exploited in the real world, and also you have to find them first.
I also found a bug on another Google site and I submitted my report and got a reply from a security engineer that someone else had already reported the same issue before me.
If your thinking what’s to stop Google accepting your submissions and then just saying we already know about that one. Well the answer is nothing. It has to be a trust thing. They trust that the reporter will not exploit the bug for their own means and keep the issue secret and the reporters have to trust that Google works on honesty and wouldn’t lie just to save a few hundred or thousand dollars.
So if you have a few hours spare and want to have a bit of fun while learning then have a go.
Remember no automated tools and only test on your own account (nothing destructive).
Try and concentrate on a particular area which ever one you are best at. For me that would be XSS while as you can see from Neal Poole’s posts. He seems to focus more on CSRF.
Good luck.