Google has awarded an Uruguayan high school student $10,000 for discovering and reporting a bug he found in Google's App Engine server.
The student, Ezequiel Pereira, explained that he used Burp to change the Host Header in requests sent to the server (*.appspot.com) in an attempt to get access to internal App Engine apps (*.googleplex.com) and in the process came across a website that had no security on it.
Pereira explained that his initial attempt to access App Engine apps failed. The server was either returning a "404 Not Found error" or was checking whether the request was coming from a Google account ([email protected]) instead of the normal google account.
Also Read: New iOS video bug crashes any iPhone device -- follow this tip to protect your iPhone
However, Pereira eventually stumbled upon a Google website (yags.googeplex.com) where no username check was performed and other security measures were absent.
"The website's homepage redirected me to '/eng', and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before i visited any section, i read something in the footer: 'Google Confidential'," Pereira explained.
The student explained that he didn't poke any further when he saw the confidential notice, instead the retraced the steps used in discovering the vulnerability and then reported it to Google.
The student produced the bug using Burp, went to the Repeater tab. Set the host to "www.appspot.com" and the set the target port to "443", tick the "Use HTTPS" option. Write a raw HTTP request: GET /engHTTP/1.1
Host: yags.googleplex.com
(and then two extra lines before clicking on go)
Google confirmed the report as valid and then awarded the student several weeks later.