Two Indian hackers received a staggering $22,000, or about Rs 18 lakh, for finding a critical weakness as part of Google’s bug bounty programme. Top IT firms reward researchers who find vulnerabilities in their software or systems with bug bounties.
A brief about Google offers Rs 18 lakh to 2 Indian hackers who discover just one bug:
The Indian hackers received compensation for discovering a security hole in Google’s cloud computing initiatives. They earned $5000 for discovering a significant server-side request forgery flaw and subsequent patch bypass.
In a blog post, the hackers Sreeram KL and Sivanesh Ashok stated that they were looking for flaws in Google’s software, particularly the Google Cloud platform. They were unfamiliar with this platform until they discovered a bug in one of its “SSH-in-browser” features.
“Since this was our first foray into Google Cloud, we naturally found Compute Engine, one of the most well-known products. As I looked into its functions and features, I came upon “SSH-in-browser.” GCP has a functionality that enables customers to connect to their compute instances using SSH from a browser. This UI visually resembles Cloud Shell quite a bit, according to Ashok’s blog.
He continued by describing how the functionality uses the SSH protocol to let users access computer instances similar to virtual machines using a web browser.
Cross-site request forgery (CSRF) protection was added to the GET endpoints, and the platform’s domain verification process was improved after the researchers made the Google cloud platform’s weakness known to the company.
In the past, Ashok and Sreeram had discovered a flaw in “Theia,” another Google cloud platform. They discovered via their study that the Theia version they were utilizing was not the most recent. They searched for vulnerabilities in this version and discovered a number of them, however, they did not all allow for system exploitation. It was challenging to exploit the system because some of them were removed from the installation or needed unrealistic user engagements, such as downloading a file and then opening it.
