Google should be ashamed of themselves for this meaningless, token “make ourselves feel good” payout. They have straight up exploited the reporter of the exploit.
This could have been used to make millions and they took advantage of the reporter’s good faith and benevolent motivations.
Google, this is worth at least $1,0000,000 to you guys, and even more, in lost revenue, plus the impact of what gaming your search algorithm would have cost and damage to your reputation. Stop taking advantage of people.
They are not setting a very good precedent with this that's for sure. Not everyone will be as white hat as this guy and opt for a little more value. Would this have been even an illegal thing to do per se? Could companies have sued him for lost profit? Anyway even 100k would have been nothing to google. You shouldnt try to be cheapskate with this.
> they took advantage of the reporter’s good faith and benevolent motivations.
Someone with truly benevolent motivations does good things because they believe it's the right thing to do -- not because of a monetary reward. I'm not saying they shouldn't pay him more, but I think it's going a bit far to say they're "taking advantage of him".
If I find a wallet on the ground and there's $200 cash in it, I'll return it to the owner and leave all the money there. I don't expect a reward and certainly don't feel like I'm being taken advantage of if they don't give me some of that $$.
Yeah, but you might feel differently if instead of $200 it had $10m cash. And instead of accidentally coming across it on the ground, you spend months of your own time just walking the streets looking for such a wallet to return. And also the owner is one of the richest men in the world.
I'm not suprised at all that Google rewarded this low. This is why they are always be more blackhat SEO then reporters. Because companies are too cheap to realize how valuable this discoveries are. They are getting too greedy. I agree 100% that this should of been at least $1,000,000 if not much more. If this contenues google could be the next Facebook ^_^ Lets use DuckDuckGo instead everyone ;-)
Good point. Google probably argued its just an Open Redirect, whereas its an elevation (in the site ranks) with immediate impact on site owners. Hope Google makes this right for the finder and hands out an elevation payout (it's possible to bend your own rules, I doubt this kind of finding is in their typical payout matrix)
There is definitely an asymmetry between the entity that posts a bug bounty and the hunter of that bounty. It's the principal-agent problem: The entity that posts the bounty is also the same agent that decides whether to hand out the bounty or not. The bounty in most cases is variable so it's in their best interest to make some attempt to withhold the bounty by arguing for a lower-valued classification or no classification of the bug.
Perhaps it would make sense for a third-party "bounty escrow" agency to exist. The escrow agency may be able to provide impartial arbitration of the exploit, and this may have the side effect of coming to a decision faster and promoting a quicker actual bug fix for the end-users.
Well I don’t know if it lost (Google) revenue (interested in understanding how if actually so? maybe missing something), but yeah it was definitely worth a lot of money to anyone who knew of it as a 0-day, and would have been lost traffic/revenue for the serps being bumped down.
@TomAnthony, This is f*up, google should of given you at least $1,337,000 bounty for this. This is one of the most profitable exploits I've seen discovered by anyone. Plus you've done the right thing and reported it. Good job on this discovery!
"I have a couple of other ideas for search related attacks, but am not sure I'm going to explore them any longer."
You're valuing yourself way too low. You've done a good job with this and should receive more bounty for it. Also see if you can earn more for doing research else where; https://www.bugcrowd.com/bug-bounty-list/ Also maybe use something like; https://www.hackerone.com/
To answer a few FAQs I've had over the last few days:
- I've not seen a confirmed use of this in the wild yet, despite a few people emailing me stories where they suspect it.
- I am unsure what is with the bug bounty amount. I think either:
1) The various teams didn't communicate well about the impact until after the award,
2) I haven't fully understood the bug, however as per VRP rules I stopped when I had "discovered a potential security issue", at which point "The panel will consider the maximum impact". It may be I've not understood the impact fully.
3) They want to discourage SEO type research as opposed to pure security research, but I doubt that is the case and it doesn't match up with my previous dealings with the team.
- There are a few technical details not in the article (for example I believe the sitemap has to be an sitemap index file), but nothing that greatly changes it.
- If you are concerned you are affected, I'm happy to take a quick look at your data for free (tom.anthony@distilled.net) to see if I have any insights.
- The best/only way to detect this being done to you is to find the 301/302 redirects for the sitemap in your server logs.
Google doesn't issue rewards for SEO tricks. My guess is your sitemap redirection trick could be used to leak data about the victim site (search terms, traffic stats, malware urls), or to do other privileged actions on behalf of the victim site now the two domains were linked (for example sign up for google apps or trigger rate limits DoS'ing the victims ability to use certain API's)
Perhaps. We could argue the semantics of it, but it feels within the spirit of the VRP. It directly impacts the secure and correct functioning of a (the!) core Google service.
The VRP page [0] talks about the "maximum impact" and this impacts users and advertisers, as well as businesses relying on organic Google traffic.
However, I take your point - I'm aware this is not a typical sort of issue for a bounty.
To reiterate - I am grateful to Google that they run the bounty programme and that they awarded a bounty for this. I've previously reported several issues (e.g. [1]) that have not been rewarded any bounty, which is the nature of the programme and absolutely fine.
I’ve worked at other companies in teams that take these security reports in. There’s no excuse for their long delays in response, you showed them clear abuse immediately. I wish you would have given them the tavis experience. Next time use Google’s own terms, with a set date on when you will publish to put pressure on them. They do this to others and need to be held to the same standards.
Nice work! It is amazing how a bug that so many people don’t care about (open redirects) could have been exploited Google’s prime income generator.
If nothing else, you can use this as a nice gem on your resume, which can help you get more interviews or better paying jobs in the future.
I think if it worked more broadly (I couldn't test without risk at that point) you could make decent money off of this just through affiliate programs.
I've been doing research like this for 5+ years, and you go in knowing most if it won't lead to anything. I'd hoped for more, but I could have simply failed again and got nothing! :)
As I've said below, I'd have reported it anyway even without a bounty; however I probably wouldn't have done the research in the first place were there not a bug bounty programme.
I've previously had 2 bounties from Google. One was an easy find and was also $1337. The other was more technical but still straight forward and also played to SEO and got $5000 - in that instance Matt Cutts was involved and I believe advocated for the amount (thanks, Matt!). This was far more impactful than that other issue, and more directly monetisable.
I do have to ask...were you at all tempted to try to monetize this? The guys in the BHW thread aren’t wrong about the potential. I applaud you for taking the high road, I’m just curious if the thought of giving away probably low six figures/day for $1337 nags at you at all.
It is a good question. I wouldn't have monetised this and would have still report it, because doing so would hurt legitimate businesses (by pushing them out of the results).
However, I have to admit it does nag at me a bit that the bounty is so small - it is like they are trying to send a message but I'm just not sure what it is!
I have done loads of research over the last 5 years (this exploit took me a couple of months to craft) and most comes to nothing, and then when I do find something big that the bounty is so small is frustrating. A bigger bounty would have made a meaningful difference to me (kids+no savings!).
The broader issue is how this may play to motivating people to discover/report these sorts of issues in the future. I have a couple of other ideas for search related attacks, but am not sure I'm going to explore them any longer.
This is a straight-up 100k-500k bug. If I were to discover this bug and know I'd only get $1k and be a "good guy" vs. getting millions, well...
The fact is that these bug bounty programs should start paying competitive prices. They can lowball it by 10x-20x at most, but lowballing by 1000x leads to people just giving up their ethics.
Almost as if a bug bounty program should show the effect of the bug before explaining how it works. Then, Google will be more inclined to pay more if it wants the info on how the bug works.
The broader issue is how this may play to motivating people to discover/report these sorts of issues in the future. I have a couple of other ideas for search related attacks, but am not sure I'm going to explore them any longer.
Agreed. Relative to the value of exercising this exploit, your bounty is missing a few 0’s at the end. I hope that you at least get some professional credit for this, and that it translates to a financial boost. You certainly deserve it for discovering something like this and doing the right thing with it.
Maybe not millions, but you could make a decent chunk of money in a number of ways. The obvious 'easy' one would be to spin up affiliate sites and rank quickly and easily for competitive terms (with a site that does not deserve to rank), by hijacking the equity (PageRank essentially) of one site and using it to rank in another region.
For example I could leverage the equity of a US made second hand car marketplace and to rank my site in the UK and list UK Autotrader listings on my site. They have a nice affiliate program for clicks/leads.
Alternatively, I may only operate in one country but I could 'top up' by equity by leeching it from a company in a similar niche in another country. My competitors in my home country would be at a loss to how I'm ranking so well.
It should be noted that there are a number of parameters that may change between my initial experiment and these uses, so we'll never know how viable it really was.
You could absolutely make millions off this. Getting to Google's fist SERP for popular terms gives you huge amount of very high quality, free traffic. Once this traffic lands in your site, you can use either CPM ads, sell the traffic on CPC basis or just redirect through affiliate links to the searched product. It will be HIGHLY profitable since the traffic is essentially free.
This is an incredible bug, not just for its severity, but for its relative simplicity. And of course because it targets one of the most ubiquitous and popular and ostensibly secure software interfaces ever.
Also very interesting how long it took for them to figure out a solution. The bug report was filed and acknowledged in late September. According to the author, Google struggled with how to fix the issue for several months, even though the fix seemed simple ("don’t follow cross-domain redirects for pinged sitemaps").
To clarify, by "simple", I meant that the bug was discoverable, exploitable, and testable by Google's own public interface -- i.e. didn't require the researcher to break into anything, or find an otherwise extreme set of conditions. This isn't meant to impugn the skill of the researcher, just to point out how amazing it was that such a bug could exist in the open. I wonder if any analysis was done to figure out how many customers (good and bad) specified cross-domain redirects for sitemaps. Should have been easy to calculate, I assume.
Looking at the bounty amounts, this is insane. If you find a bug that allows you to take over a Google account, through "Logic flaw bugs leaking or bypassing significant security controls", the maximum payout is $13,337.
Sorry Google, but you should be paying $1,333,337 for that.
I'm with pretty much everyone else here. As symbolic as $1337 is, this is worth far more.
That said, if one had taken advantage of this, what legal repercussions could or would you face? I mean, technically I can't see anything _illegal_ here, albeit unethical. Assuming you wanted to, isn't this just playing the system?
I have discussed this with a bunch of people (and there is a discussion on Twitter right now [0]), and it seems quite unclear whether it would be illegal.
It would certainly be unethical, and if it is illegal it may mean many other shady black hat SEO practices are also illegal. I really have no idea though - would be interesting if there is a lawyer reading to hear any thoughts.
I was wondering this too. If the researcher was playing by the same rules that Google does with vulnerability disclosure, the post would have gone up months ago regardless of whether Google had fixed it yet or not.
There's nothing on the VRP which effectively covers business logic vulnerabilities. Realistically, this would be precisely why such a category would be needed.
Closest I can fit it into within their existing scheme is:
> Logic flaw bugs leaking or bypassing significant security controls -- Other highly sensitive applications [2] -- Vulnerabilities giving direct access to Google servers
But that's a stretch, and the payout is still atrociously low for the value you could've squeezed out of it, potentially legitimately (millions).
TomAnthony, in your position, I'd keep making a stink here and possibly even see what other quirks you might find in PageRank and just pocket them for now. I've reached out to some old members of the VRP team to see if they can shed any light on whether the VRP can be tuned a bit in response to this, but you certainly should've gotten more.
Thanks for your insights. I actually considered the same spot in the matrix as best fit, but also identified this sort of 'business logic' isn't a good fit anywhere in the matrix.
I'm British so not good at kicking up a stink! However, it is Google's VRP, and they are under no obligation to give anyone anything, so am not sure I have grounds to do so anyway. As I've said elsewhere, it is just hugely de-motivating and a disincentive (for both me and others) for similar research in future.
I think it would be a great addition to the VRP for them to include things affecting the core algo (their main product), but imagine it would be tricky to do without also getting a huge number of very tenuous reports.
Has anyone ever heard of another case like this? I've been following search pretty closely for most of Google's existence and this is the only bug bounty payout I've ever heard of for a blackhat core algo exploit.
[Disclaimer: Tom's a colleague of mine at Distilled where I'm a founder]
The disclosure of the exploit signifies the status of the hacker. The amount of the award is a slap in the face that is entirely disproportionate to the value of the exploit.
A commenter (@ivan2kh) raises a good question... what happens if you submit "evil.xml" on "https://www.amazon.com/clouddrive/share/xxx", or similar? Any host that allows user submitted files, and hosts them under their domain, could be exploited right?
Serving user-submitted files from your main hostname is generally a bad idea because of the risk of XSS vulnerabilities. On Amazon cloud the content is served from the subdomain. Though it does raise a good point as a content domain/subdomain for a large website/service may have an impressive pagerank that could be exploited.
archive.org hosts with URL's like "https://archive.org/details/myfile.xml". They must have good pagerank for anything storage related. Perhaps a cloud storage service could use this exploit?
Although I agree that $1337 is definitely WAY too low, it's also someone's job to budget this and minimize payouts.
To Google, 100k is nothing and in good faith, they should definitely reward more, but when it ties into someone's KPI, it will be tough to get more. They'd have to work with PR to understand the tradeoffs, etc.
Alas, not. I thought the bounty would be larger, but I'd have reported it anyway due to the damage it could do to legitimate businesses being pushed out of the results. You can't do this sort of research and rely on a specific bounty payout.
This could have been used to make millions and they took advantage of the reporter’s good faith and benevolent motivations.
Google, this is worth at least $1,0000,000 to you guys, and even more, in lost revenue, plus the impact of what gaming your search algorithm would have cost and damage to your reputation. Stop taking advantage of people.
Give this man what he deserves!