Schoolboy bags $10,000 reward from Google with easy HTTP Host bypass | 8/10/2017 | Staff
k.collazi (Posted by) Level 3
Click For Photo:

A teenager in Uruguay has scored big after finding and reporting a bug in Google's App Engine to view confidential internal Google documents.

While bored in July, high schooler Ezequiel Pereira, who has all the makings of a competent security researcher, used Burp to manipulate the Host header in web connections to Google's App Engine. The 17-year-old's target: webpages protected by MOMA, Google's employees-only portal apparently named after a museum of modern art.

Google - Service - MOMA - Services - Visitor

Normally, connecting to a private staff-only Google service requires signing in via MOMA. However, it appears not all of these services fully checked a visitor was authorized to view the content.

By connecting to a public Google service, such as, and changing the Host header in the HTTP request to, say,, Pereira was redirected to Google's internal project management system YAQS. Viewing that system should have required a MOMA sign-in, but instead, he was able to view YAQS pages marked "Google confidential."

Student - Loophole - Google - July - August

The student reported the loophole to Google on July 11, and on August 4, about a month before his 18th birthday, he was told the issue had been fixed and that he had earned a $10,000 reward from the ad giant's bug bounty program. Pereira, who has previously earned a few thousand of dollars for reporting vulnerabilities to Google, was stunned by this single payout.

"I just think it was a very simple bug and I didn't expect the large bounty at all," he told The Register on Thursday. "Maybe I'll learn how to...
(Excerpt) Read more at:
Wake Up To Breaking News!
A single death is a tragedy, a million deaths is a Government intervention.
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!