More than $ 300,000 was donated to GCP prizes in 2021
Ethical hackers earned over $ 300,000 after discovering various flaws in the Google Cloud Platform (GCP).
The top seven responsible revealed vulnerabilities that qualified through GCP’s Vulnerability Reward Program (VRP) last year earned a total of $ 313,337, of which the winner took home $ 133,337.
Google said the GCP VRP-which began in 2019-shows that many talented security software researchers are participating in improving cloud security by removing vulnerabilities that may not have gone unnoticed.
The amount awarded represents a large portion of the $ 8.7 million awarded by Google across the full range of vulnerability disclosure programs.
I’m an IAP, I hope you’re an API too
The top prize, and a $ 133,337 prize, was awarded to security researcher Sebastian Lutz for detecting a bug in the Identity-Aware Proxy (IAP) that offers an attacker a way to access resources protected by IAP. .
The flaw means that if an attacker tricked a potential victim into visiting a URL under their control, they would be able to steal their IAP authentication token, as further explained in a tech blog post.
Hungarian researcher Imre Rad won a second prize of $ 73,331 after discovering a mechanism to control a Google Compute Engine virtual machine.
The hack relied on sending malicious Dynamic Host Configuration Protocol (DHCP) packets to the virtual machine to spoof the Google Compute Engine metadata server.
RELATED Most ethical hackers want to spend more time chasing the bug bounty – report
As explained in a technical post by Rad on Github, the flaw and related attacks were first reported to Google in September 2020.
A lengthy disclosure process followed, and until Rad published its findings in June 2021, Google fixed the issue a month later.
Join the data stream
Third place in the 2021 edition of the GCP VRP Stakes – with a prize pool of $ 73,331 – was awarded to security researcher Mike Brancato for remote code execution (RCE) detection and disclosure in Google Cloud Dataflow.
Brancato discovered that Dataflow nodes exposed an unverified Java JMX port, a security flaw that allows arbitrary recommendations to run on the virtual machine, as explained in a technical blog post.
The impact of the vulnerability depends on the service account assigned to Dataflow worker nodes, Brancato said. The daily sip.
The researcher explained, “By default, this is the default google Compute Engine service account, assigned to the project-wide editor role. The Editor’s role is multiple permissions to create and destroy resources – this is one of the “core roles” that Google doesn’t recommend using because they provide extended permissions.
Learn about the latest cloud security news
They added, “The vulnerability can be easily exploited using existing tools like Metasploit,” if an attacker identifies an open firewall port that exposes a weak system to a potential attack.
The security researcher has been working in cloud security since 2017 and bug bounty hunting has become a natural extension of their regular work.
“As part of my exposure to the Apis cloud and my background, I began to identify systems that looked interesting and could be vulnerable to attack,” Brancato concludes.
The daily sip Lutz and Rad were also invited to comment on their respective research, as well as asking Google how it would like to improve the cloud-focused elements of its bug bounty program.
Recommended HTTP/3 has evolved into RFC 9114-a security benefit, but not without challenges