Comment by cedws
1 year ago
Is it just me that feels $1337 is an insult? FAANG pays way too low bounties for this kind of stuff. This kind of info would be much more valuable on the black market.
1 year ago
Is it just me that feels $1337 is an insult? FAANG pays way too low bounties for this kind of stuff. This kind of info would be much more valuable on the black market.
To be clear, the information shows a rogue employee how to create accounts in third-party apps (Slack, Zoom, etc.) that won't be automatically deleted when the employee is terminated. I'd love to hear why you think this information would be "much more valuable" than $1337 on the black market as that is not obvious to me.
Also, if anyone should be paying bounties, it's the third-party apps, since they're the ones which are vulnerable. I'm impressed Google is paying a bounty just for pointing out a footgun. I would probably not have bothered reporting this to Google if I had found it; $1337 would be more of a pleasant surprise to me than an "insult".
In fact I'd argue that Google paying a bug bounty for something that is well-defined and documented behavior and will never be "fixed" actually undermines the program.
> Because these non-Gmail Google accounts aren’t actually a member of the Google organization, they won’t show up in any administrator settings, or user Google lists.
That's why. This bug allows an attacker to retain access to various accounts attached to an already-compromised company or employee of the company. Not only that, but the retention is completely invisible to the account administrators.
Needing the same level of access that an employee has in order to utilize it doesn't make it less valuable. There are plenty of valuable bugs that can only be utilized from specific positions. Consider how many hacks have happened because an employee's devices or accounts were compromised, rather than some server system that no one individual owns. The recent Okta hack happened that way.
The rogue accounts would show up in the administrative settings in the third-party apps, and they would stick out like a sore thumb because they'd have weird email addresses. So they're not completely invisible, albeit not visible from one central place.
> Needing the same level of access that an employee has in order to utilize it doesn't make it less valuable.
The only way that would be true is if compromising an employee account has no cost, which is obviously not the case. Thus, attackers would prefer to purchase a vulnerability that doesn't require also compromising an employee account.
I trust tptacek is correct that Zerodium wouldn't even pay $133.70 for this: https://news.ycombinator.com/item?id=38722395
Buy why should Google pay them at all? One of the first screenshots of their documentation says you shouldn't trust the email claim, so they're obviously aware of this issue. The problem is third parties using Google's OAuth incorrectly. If anything, Slack/Zoom/etc should be paying.
Nope, I'm with you. Based on the quick blurb about what the vuln way, $1337 is an absolutely steal for Google. Paying for a team or outside pentesters to attempt to find this would be _way_ more expensive.
> Paying for a team or outside pentesters to attempt to find this would be _way_ more expensive.
But doesn't Google have teams of internal pentesters already? You could hire dozens of external companies and they might not find it.
This system is a "no cure, no pay" approach. I do think they should have paid the reporter a lot more though.
It’s essentially 0 as far as they’re concerned.
Especially when Microsoft paid out about 75k for essentially the same issue.
Did Microsoft pay the entire $75k? The people who found that issue reported it to multiple stakeholders, and their blog post[1] merely says they were awarded $75k in total. I assume the bulk of the bounties were paid by the service providers who failed to heed the warning in Microsoft's documentation.
Also, the Microsoft issue was far worse as it could be exploited by anyone; the Google issue requires a rogue employee or a misconfigured email ticketing system.
[1] https://www.descope.com/blog/post/noauth
1 reply →
From a practical perspective, they probably should "match" what black market values these exploits, and I surely wish they can give much higher bounties in general (and they for sure can afford!), but I don't think they ethnically need to (so it's not an insult in my view).
Turning these exploits/vulnerabilities to black market is not only immoral but also highly illegal, so the "value" is inflated due to these "risk" factors. You can't really expect the same from the affected company themselves.
It's like saying if you found a lost item and you ask a large sum from the owner when you return it, because "I can get much more if I choose to just sell it on the street".
> Turning these exploits/vulnerabilities to black market is not only immoral but also highly illegal
I assumed 'black market' here means irresponsible disclosure, which there are many sites operating legally (Zerodium being a prime example)
Who are the customers? Theoretically nation-state actors, but do we really know? Either way, you're selling the vulnerability to a private party. To my knowledge, selling knowledge of an exploit to almost anyone is legal (unless it could be classified treason or a threat to national security or something).
As is publishing the security research after responsibly disclosing (as the blog author did here), though we've had to fight pretty hard to get to the point where warning people of threats to their digital safety (often because companies are too lazy to protect their users) is generally understood to be legal.
I'm not a legal expert, but is it necessary for an act to pose a threat to "national" security for it to be considered illegal in places like the United States?
In my country, we have a law known as "The Crime of Destroying Computer Information Systems." This law makes it a criminal offense to intentionally harm computer systems in a way that could compromise them (which is somewhat vague in its definition, I'd admit). This includes leaking private information from these systems, and it applies even if the affected systems belong to private entities. And if you sell exploits to a third party and are later caught, you will be considered an accomplice and there are precedents for this.
1 reply →
Zerodium isn't going to pay you $133.70 for this.
If you pay too much in bounties, you risk having your own red-team employees leave so that they can report bugs externally and get paid much more via bounties.
Could at least have been $31337.
Google hasn't fixed it, so it seems they really don't value this info.
Per the article, Google fixed it, but only for google.com accounts.
Might this be because to be actually vulnerable a company needs to have the ticketing-like system in a sort-of unsafe setup?
Eh depends on if the person is financially stable. The tongue and cheek number may stand out stronger on a resume.
"Is it just me that feels $1337 is an insult?"
Y0U 4R3N7 31173 3N0U6H 70 C47CH 7H3 R3F3R3NC3
So you're saying it's a joke on multiple levels.
They could have given them $313373 or at least $31337 instead.
A third of a million? You must be sky high.
I'd certainly try to sell the exploit to someone else instead.