Two Indian hackers got a whopping $22,000, for spotting a security flaw in Google’s cloud program projects. They spotted a major server-side request forgery bug and subsequent patch bypass. The bug they found could have allowed someone to take control of someone else’s virtual machine with just one click.
The two hackers Sreeram KL and Sivanesh Ashok said that they were new to this platform and while they were exploring it, they found a problem in one of the features called “SSH-in-browser”. One of the hackers, Sivanesh Ashok said, “Since this was our first step into Google Cloud, we naturally stumbled upon one of the most popular products, Compute Engine. While exploring its features and how it works, I noticed SSH-in-browser. It is a feature in GCP that lets users access their compute instances, through SSH, via the browser. Visually, this interface looks very similar to Cloud Shell.”
The feature allows users to access their computer instances like a virtual machine through their web browser, using a protocol called SSH. After reporting this flaw, Google fixed the issue by adding a security feature called cross-site request forgery (CSRF) protection to the GET endpoints and improving the verification process of the domain.
The two hackers also spotted a bug in another Google cloud platform “Theia”, in which they found that the version of Theia they were using was not the latest one. They looked for vulnerabilities in this version and found multiple ones, but not all of them could be used to exploit the system. Some of them were removed from the installation or required unrealistic user interactions, such as uploading a file and then opening it, which made it difficult to exploit the system.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
