War Stories from Google's

Vulnerability Reward Program

Gábor Molnár molnarg@
2016-10-20
 Proprietary + Confidential

Introduction

Software Engineering BSc & MSc from BUTE Hungary

Founding member of
the !SpamAndHex CTF team and CrySyS Student Core
Information Security Engineer at Google Switzerland
Web security, foosball and internet cat enthusiast
 Proprietary + Confidential

Agenda
The VRP

A Great Report

Good vs Bad Reports

Proprietary + Confidential
 Proprietary + Confidential

The VRP

Proprietary + Confidential
 Proprietary + Confidential

VRP from the outside

You send us
vulnerability reports.

We fix the bugs and

reward good reports.

Source: Google Security Blog

 Proprietary + Confidential

VRP from the inside

A team of Information Security Engineers
in a weekly rotation
handling incoming vulnerability reports for

all Google web applications

all Google Android applications
and everything else Google

(except core Android OS components and Chrome)

 Proprietary + Confidential

Reports we receive

> 150 reports per week

6 minutes per report

90%: no bug filed

Source: Wikipedia, Secrets of Google VRP

 Proprietary + Confidential

Reports we receive

? Low quality Good Amazing

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. DuisSource:
non erat
1 2sem
34
 Proprietary + Confidential

Life of a VRP report

Bugfix Remediation
Bug Product team
Triage
submission ACK
Panel Reward

Reproduction

Finding duplicates

Severity assessment

Source: Lorem ipsum dolor sit amet, consectetur adipiscing

Source: Secrets
elit. Duisofnon
Google
erat sem
VRP
 Proprietary + Confidential

A Great Report:
Account Hijacking with XSS
See also: blog post

Proprietary + Confidential
 Proprietary + Confidential

The Report

From Ramzes, one of our top reporters

Combination of several bugs
Multi-step exploit
Victim visits attacker page → attacker can change victim’s password
Reward: USD 12,500
 Proprietary + Confidential

Attack scenario

1. User opens attacker site (phishing, etc.)

2. Attacker site exploits vulnerabilities on www.google.com
3. Password reset email is sent to the attacker
 Proprietary + Confidential

Context: Account Recovery

Restoring account access after losing password

Takes many signals into account.
A few good signals:
● Usual IP address
● Same browser as usual
● Good questionnaire answers
● …

Source: Bughunter University

 Application (on ?.google.com domain)
Proprietary + Confidential

1. XSS on www.google.com

Embeddable help popover

Uses an iframe (content frame)

Content frame uses an API: query → HTML

API communication: iframe + postMessage

API URL: specified in URL param, no filtering Content iframe (www.google.com)

Query
→ HTML can be attacker provided HTML

Check URL when creating iframe: good fix?

Invisible comms iframe (API domain)
Real fix: check every message!
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
 Proprietary + Confidential

2. Starting Account Recovery

XSS payload runs on www.google.com

Account Recovery first step is on www

Email address is easy to extract on www

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
 Proprietary + Confidential

3. CSRF on
Redirect 2 on www
accounts.google.com URL: …?est=TOKEN

Next step is on accounts.google.com

Same Origin Policy → payload has no access Redirect 1 on www
Goal: submit this form with “I don’t know”
Form submit target URL = page URL
Page URL contains token (CPR) Prev. step on www
This acts as CSRF protection
Redirect 2 works without cookies
1. Read EST token (on www)
2. Repeat redirect 2 on server
3. Send back CPR token
4. Submit form using CPR token
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
 Proprietary + Confidential

4. Choosing the
questionnaire
Back on www

Goal: send password reset link to attacker

Not to the secondary email address

Only choice: “Verify your identity by answering

multiple questions about your account.”

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
 Proprietary + Confidential

5. The questionnaire

Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
 Proprietary + Confidential

6. Win
Password reset email is
sent to the attacker
 Proprietary + Confidential

Good vs Bad Reports

Proprietary + Confidential

Choose target carefully
Different reward amount per application.
High value targets probably mean more
work.
XSS on sandbox domain is out of scope.
Beginners: try acquisitions.
Proprietary + Confidential
Applications enabling account takeover:
https://accounts.google.com
Highly sensitive applications:
Search, Gmail, Inbox, Wallet, Cloud Console,
Play, etc.
Normal applications:
YouTube, Blogger, etc.
Non-integrated acquisitions, other apps:
BandPage, Pixate, etc.
Source: VRP rules page
 Proprietary + Confidential

Choose target carefully No monetary reward for recent acquisitions

(6 months blackout period):
Different reward amount per application. Apigee

High value targets probably mean more Out of scope: XSS in sandbox domains:
work. ad.doubleclick.net
googleusercontent.com
XSS on sandbox domain is out of scope. googlecode.com
codespot.com
Beginners: try acquisitions. feeds.feedburner.com
...

Source: VRP rules page

 Proprietary + Confidential

Include an Attack Scenario Good Attack Scenario

What does the victim and the attacker do? 1. Victim visits the attacker’s website
2. The victim is tricked into clicking on
Attacker privileges: less → more the website
3. The attacker exploits a clickjacking
How likely is that the victim will do this? bug using this click.
4. The attacker has JS execution on
Safe to assume that the victim
xyz.google.com, can steal data.
● is logged in to Google
● clicks on a link (phishing works)
● clicks once or twice on an attacker
website (Clickjacking works)

Source: This is not real VRP report

 Proprietary + Confidential

Include an Attack Scenario Weak Attack Scenarios

1. Install Burp on the machine
Don’t assume that the victim
2. Read user cookies at https://google.com
● downloads and executes a binary
3. BAAAAM you’re pwned
● runs a browser with a vulnerability
● gives physical access to their 1. Victim opens attacker website
unlocked machine/phone to attacker 2. Attacker uses the CVE-X Chrome UXSS
to read cookies from https://google.com
Typical weak attack scenario:
more privileges → less privileges 1. Victim leaves his computer unlocked
2. Attacker installs keylogger
3. Attacker is able to read emails written

1. Victim opens page with

<img src=google.com/logout>
2. Victim is logged out
Source: Based on true stories

Include a Proof of Concept
or detailed repro steps
How exactly does the vulnerability work?
Test your PoC before sending
Proprietary + Confidential
Good reproduction steps:
See my PoC at https://example.com/x
Details:
1. With clickjacking, the user clicks on
the “Enable XSS” button.
2. Then an iframe is navigated to the
vulnerable XSS page.
3. The “title” URL parameter is
interpolated without escaping.
4. JS is injected that reads the user’s
emails and alerts the text of the first.
Source: This is not real VRP report
 Proprietary + Confidential

Demonstrate the minimum Good report:

impact - we’ll reward the Hi,

maximum impact
I’ve successfully leaked sensitive user data
Impact: What can the attacker do having from a test account I’ve set up, using an
authentication bypass vulnerability. I didn’t
exploited the vulnerability?
try to exploit this for real user data.
Don’t do real damage, or steal user data.

Use test accounts for testing.

We’ll determine and reward the maximum

impact—no need to demonstrate it.

Source: Based on a true story


Always verify tools’ output
Tools often report false positives.
We very rarely receive valid reports
generated by public automatic scanning
tools.
Our top researchers use custom built
scanning tools.
Proprietary + Confidential
I’ve attached a 5MB zip with the text
output of my X tool. EVERY Google
page is affected by these cyber
vulnerabilities. Please read it ASAP!!!!
Source: Based on a true story
 Proprietary + Confidential

Include a Video if it’s Hard

to Explain Otherwise
In most cases, text is good enough.

Make it as short as possible.

If you have links, please include them in

the text.

Source: wikimedia.org
Proprietary + Confidential
 Proprietary + Confidential

+1: Be Polite

“
I have 2 SQLi's I am willing to sell to you
to fix it. that is 20k$. payment only
Don’t CC Larry or Sergey accepted by bitcoin. …

Don’t CC Gerhard (VP Security & Privacy) dont pull magic tricks, or they will be sold
on black market. …

In Russia SQLi hacks you or something

like that. You can call up fbi, fsb, interpol.
I dont care. You know what you have to
do, do it or dont.

”
Source: Anonymous VRP Reporter

+2: Hack for charity!
We double rewards donated to charity!
Don’t register a fake charity.
Proprietary + Confidential
You may have read about Sanmay Ved, a
researcher from who was able to buy
google.com for one minute on Google
Domains.
Our initial financial reward to Sanmay—$
6,006.13—spelled-out Google, numerically
(squint a little and you’ll see it!).
Because Ved was donating the money to
charity, Google offered to double the
amount that would go to The Art of Living
India.
Source: Google Security Blog, Business Insider
 Proprietary + Confidential

Bonus Tips for Beginners

Use your native language in the reports (I read the Hungarian reports)
Start with acquisitions + usual web vulnerabilities (probably no reward!)
Read the articles on the Bughunter University
● Usual non-qualifying findings
● Improving your reports
Be persistent - some of our best reporters started with low quality reports, improved a lot over time
THANK YOU
g.co/vrp