Two Indian hackers have won a total cash reward of more than $22000 as bug bounty from Google. Bug bounties are rewards, usually cash prizes, given by major tech companies to individuals who identify an error or vulnerability in their computer program or system. These particular bug bounties were awarded by Google to the Indian hacker duo for finding major security vulnerabilities in its Google Cloud Program (GCP) projects. Among them, the biggest bounty was a server-side request forgery (SSRF) bug and subsequent patch bypass which earned them a cool $5000.
The two Indians who won the bounties are Sreeram KL and Sivanesh Ashok who are both part of Google Vulnerability Rewards Program (VRP). Sivanesh also posted a blog detailing the bugs and how they came across them. Posting about it on Twitter, he said, “A write-up about how
@kl_sree and I found a bug in Google Cloud that allowed us to takeover a victim's compute engine VM”.
The SSRF bug is especially a dangerous vulnerability to have. By abusing this vulnerability, hackers could trick victims into opening malicious links and take control of their GCP projects remotely.
Sivanesh pointed out in his blog, “Since there was no random token or CSRF protection, anyone could craft a link and send it to a Compute Engine user to create a new user in their instance…making a victim open a malicious link would add the attacker's username and SSH key into their computer”.
However, people do not need to worry about it as after the security risk was flagged, Google has released a patch that takes care of the issue. Alongside, the two Indians also uncovered a bunch of more vulnerabilities.
Speaking with Daily Swig, Sreeram said, “While finding this issue, we gained insight into the workings
Read more on tech.hindustantimes.com