Home / Cyber Security / Google Bug Bounty – The $5k Error Page
google6.png

Google Bug Bounty – The $5k Error Page

Well, this is going to be quite a short post ..
In January I was looking at some Google services hoping to find something worth a bounty.
I came across https://login.corp.google.com which is nothing more than a simple login page (seems to be for Google employees themselves …)

login.corp.google.com Login Page

Every time the page is accessed, a new image from https://static.corp.google.com is loaded directly into the page. Nothing too fancy happening here hm?!
An example of such an image URL is https://static.corp.google.com/corpsso/images/PICT0004.jpg

Well, after trying some other things I thought provoking an error here is the best thing I can do: I accessed https://static.corp.google.com/corpsso/asd/ and the default Google 404 page appeared with one difference:

Special Google 404 Page

Special Google 404 Page

I found a feature!

Lets check out what this is about. The “Re-run query with SFFE debug trace” link pointed to https://static.corp.google.com/corpsso/asd/?deb=trace.

SSFE and XFE HTTP Request

SSFE and XFE HTTP Request

Uff … That’s bad …

I was able to access internal debug information on static.corp.google.com by just adding “?deb=trace” to a 404 URL.
I saw the complete X-FrontEnd (XFE) debug trace and much more. I am still not sure what “SFFE” stands for but it seems that it’s something like a request engine in Googles backend that handles for example Bigtable Lookups.
Bigtable is a “high performance NoSQL database service for large analytical and operational workloads”. For more information go here.

I was also able to view the SFFE response headers which indicate, that nothing was found …

SSFE Response Headers

SSFE Response Headers

In another section of the debug page I had access the complete Bigtable lookup flow which was performed due to my request (sorry for all the blacking):

Replicated Bigtable Lookup Flow

Replicated Bigtable Lookup Flow

This flow contained table names and paths of different Bigtables which were queried because of my request.
So basically I was able to access Google internal information like:

  • Internal IP of the server which was used for the query (I think ..) + its uptime
  • Name of the server (the name is actually a link which is not accessible from the Internet but seems to point to Google Borg clusters)
  • SFFE Request and Response Headers
  • XFE HTTP Request
  • Replicated Bigtable Lookup Flow
  • Service Policies

The page did not allow any user interaction and I haven’t found anything to “go deeper” into the system so i reported it right away.

It was my first bounty I got from Google!

Detailed Reporting Timeline

19/01/2017 – Initial report
20/01/2017 – Report triaged
20/01/2017 – Nice catch!
10/02/2017 – Google already fixed the issue but forgot to tell me … I contacted them asking for an update
19/02/2017 – Got a response, they implemented a short-term fix and forgot to sent my report to the VRP panel …
10/03/2017 – Got $5000 bounty
16/03/2017 – Google implemented permanent fix

About admin

mm

Check Also

android-ui-feedback-loop.jpg

New class of attacks affects all Android versions

Researchers have demonstrated how a malicious app with two specific permission can stealthily compromise users’ ...

Leave a Reply

Your email address will not be published. Required fields are marked *