Google rewards Rs 18 lakh to Indian hackers for discovering a bug


By MYBRANDBOOK


Google rewards Rs 18 lakh to Indian hackers for discovering a bug

Two Indian hackers got a whopping $22,000, for spotting a security flaw in Google’s cloud program projects. They spotted a major server-side request forgery bug and subsequent patch bypass. The bug they found could have allowed someone to take control of someone else’s virtual machine with just one click.

 

The two hackers Sreeram KL and Sivanesh Ashok said that they were new to this platform and while they were exploring it, they found a problem in one of the features called “SSH-in-browser”. One of the hackers, Sivanesh Ashok said, “Since this was our first step into Google Cloud, we naturally stumbled upon one of the most popular products, Compute Engine. While exploring its features and how it works, I noticed SSH-in-browser. It is a feature in GCP that lets users access their compute instances, through SSH, via the browser. Visually, this interface looks very similar to Cloud Shell.”

 

The feature allows users to access their computer instances like a virtual machine through their web browser, using a protocol called SSH. After reporting this flaw, Google fixed the issue by adding a security feature called cross-site request forgery (CSRF) protection to the GET endpoints and improving the verification process of the domain.

 

The two hackers also spotted a bug in another Google cloud platform “Theia”, in which they found that the version of Theia they were using was not the latest one. They looked for vulnerabilities in this version and found multiple ones, but not all of them could be used to exploit the system. Some of them were removed from the installation or required unrealistic user interactions, such as uploading a file and then opening it, which made it difficult to exploit the system.

 E-Magazine 

Copyright www.mybrandbook.co.in @1999-2023 - All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Kalinga Digital Media Pvt. Ltd. is prohibited.
Other Initiatives : www.varindia.com | www.spoindia.org