Over $300,000 was given away in GCP prizes in 2021
Ethical hackers have earned over $300,000 after discovering various flaws in Google Cloud Platform (GCP).
The top seven responsibly disclosed vulnerabilities that qualified through GCP’s Vulnerability Reward Program (VRP) last year raked in a total of $313,337, with the winner taking home $133,337.
Google said the GCP VRP — which began in 2019 — shows that many talented security software researchers are getting involved in improving cloud security by uncovering vulnerabilities that might otherwise have gone unnoticed.
The amount awarded represents a significant fraction of the $8.7 million awarded by Google across its full suite of vulnerability disclosure programs.
I’m IAP, I hope you’re API too
The top prize, and a $133,337 prize, was awarded to security researcher Sebastian Lutz for discovering a bug in Identity-Aware Proxy (IAP) that offered an attacker a way to access IAP-protected resources. .
The flaw meant that if an attacker tricked a potential victim into visiting a URL that was under their control, they would be able to steal their IAP authentication token, as further explained in a tech blog post.
Hungarian researcher Imre Rad won a second prize of $73,331 after discovering a mechanism to take control of a Google Compute Engine virtual machine.
The hack relied on sending malicious Dynamic Host Configuration Protocol (DHCP) packets to the virtual machine in order to spoof the Google Compute Engine metadata server.
RELATED Vast majority of ethical hackers keen to spend more time chasing bug bounty – report
As explained in a technical write-up by Rad on Github, the flaw and associated attacks were first reported to Google in September 2020.
A lengthy disclosure process followed, and it wasn’t until Rad made its findings public in June 2021 that Google fixed the issue a month later.
Go with the data stream
Third place in the 2021 edition of the GCP VRP Stakes – with a prize of $73,331 – was awarded to security researcher Mike Brancato for discovering and disclosing a remote code execution (RCE) in Google Cloud Dataflow.
Brancato discovered that Dataflow nodes exposed an unauthenticated Java JMX port, a security flaw that allowed arbitrary recommendations to be run on the virtual machine, as explained in a technical blog post.
The impact of the vulnerability depends on the service account assigned to Dataflow worker nodes, Brancato said. The daily sip.
The researcher explained, “By default, this is the default google Compute Engine service account, which is assigned the project-wide editor role. The Editor role has many permissions to create and destroy resources – it is one of the “basic roles” that Google does not recommend using as they provide extended permissions.
Learn about the latest cloud security news
They added, “The vulnerability is easily exploitable with existing tools like Metasploit,” provided an attacker identifies an open firewall port that exposes a vulnerable system to a potential attack.
The security researcher has been working in cloud security since 2017 and bug bounty hunting has become a natural extension of their regular job.
“As part of my exposure to the Apis cloud and my background, I started to identify systems that look interesting and that may be vulnerable to attack,” Brancato concluded.
The daily sip Also invited Lutz and Rad to comment on their respective research, as well as asking Google how it would like to improve the cloud-focused elements of its bug bounty program.
RECOMMENDED HTTP/3 evolves to RFC 9114 – a security benefit, but not without challenges