Two Indian hackers have won a cash prize of more than $22,000 in bug bounty after they found major vulnerabilities in Google Cloud Program (GCP) projects.
Two Indian hackers have won cash rewards totaling more than $22000 as bug bounties from Google. A bug bounty is a reward, usually cash, given by large technology companies to individuals who identify bugs or vulnerabilities in their computer programs or systems. These specific bug bounties were given by Google to the Indian hacker duo for finding major security holes in their Google Cloud Program (GCP) projects. Among them, the biggest reward was the server-side request forgery (SSRF) bug and patch bypass that later earned them a hot $5000.
Two Indians Who winning the bounty were Sreeram KL and Sivanesh Ashok, both members of the Google Vulnerability Rewards Program (VRP). Sivanesh also posted a Blog detail the errors and how they came across them. post about it on Twitterhe said, “An article about how
@kl_sree and I found a bug in Google Cloud that allows us to take over the victim’s computer virtual machine.”
The Indian hacker duo found a vulnerability in Google
The SSRF bug in particular is a dangerous vulnerability. By abusing this vulnerability, hackers could trick victims into opening malicious links and remotely take control of their GCP projects.
Sivanesh pointed out in his blog: “Since there is no random token or CSRF protection, anyone can generate a link and send it to the Compute Engine user to create a new user. in their case…making the victim open a malicious link will add the attacker’s username and SSH key to their computer.”
However, people need not worry about that because after the security risk is flagged, Google released a patch that addresses this issue. Besides, two Indians also discovered more vulnerabilities.
Talk to Daily Swig, Sreeram speak“While working on this issue, we gained a better understanding of how our managed GCP products work, which helped us find other bugs in GCP.”
What is Google VRP?
The Google Vulnerability Reward Program (VRP) is a formal process to reward contributions from external security researchers to find security risks and provide patches to them. As long as the security researcher follows Google’s guidelines, anyone can join and flag the vulnerability and get rewarded from Google.
