Surprise! Student receives $36,000 Google bug bounty for RCE flaw

What’s the only thing better than a bug bounty cheque? A bug bounty cheque you weren’t expecting.

In the case of 18-year old student researcher at Uruguay’s University of the Republic in Montevideo, this cheque was to the tune of $36,337, awarded by Google for finding a surprisingly big hole in the security of its App Engine (GAE) cloud platform.

The story began when the researcher gained access to GAE’s restricted non-production environment earlier this year and found it was possible to rummage around in the platform’s internal and hidden APIs.

Google is not in a hurry to document this to outsiders, which made searching for vulnerabilities of any size a question of trial and error. This made the ease with which it was possible to find and interact with some of these APIs even more surprising.

Inside GAE’s deployment environment, the dangerous vulnerability turned out to be in one service, “app_config_service”. This proved significant because commands sent to it:

Allowed me to set internal settings such as the allowed email senders, the app’s Service Account ID, ignore quota restrictions, and set my app as a “SuperApp” and give it “FILE_GOOGLE3_ACCESS

In response to this revelation, someone at Google “bumped up the severity”, which raised its bug bounty value. However, Google’s bounty assessors added in an email:

Please stop exploring this further, as it seems you could easily break something using these internal APIs. When issuing a reward, we’ll take into account what you could have achieved if you wanted to.

A second email on 13 March confirmed the unexpectedly large bounty and for a good reason. Writes the student discoverer:

I was not aware until then that this was regarded as Remote Code Execution (The highest tier for bugs), it was a very pleasant surprise.

This means that an attacker could, in theory, bypass the researcher’s fiddling in Google’s API innards and go straight to this vulnerable service from a network or the internet, assuming they knew about it.

Google’s alarm at that is not surprising because an RCE of a GAE API could get very messy. The company has now fixed the issue.