I have been doing bug bounties since September 2013(Asana was the first), participated and qualified in almost all bug bounties at least once. My bucket list had Facebook, Yahoo, Twitter, Dropbox, Github and 100+ such sites (including couple of YC Startups ) but Google VRP was tough nut to crack. I always wanted to start my bug bounty story with Google, but failed in past with few duplicates.
I was watching 2016 Google I/O, Firebase was the main focus. I had reported couple of security issues when they were quite young. Got a mini box full of stickers, bands and hot souces for my contribution.
So when I saw Firebase got a new site that too on a *google.com(https://firebase.google.com/), it all came back to me.
The minimum bounty on Google main domain(*.google.com) is $500, more than that you’ll get your name in prestigious Google Hall of Fame.
XSS on firbase.google.com
will render the image tag on the project page with PROJECT_NAME. Though I was not able to get an alert box (I was using onerror=alert(0) but later got to know onmouseover=alert(0) was working ) but Google accepted the XSS anyway.
In worst case attacker had the ability to get Google cookies just by sending a malicious firebase project link.
Google paid $5000 for this.
Clickjacking on Google Analytics
When I was trying to open the domain in an iframe, it will open for few seconds and redirect to main domain. So I had to find a way to stop the redirection, there are couple of bypass listed on OWASP for client side CJ protection. Using OWASP bypass I was able to create the POC. Google accepted the bug and paid $500 for this.
2 success boosted my lost confidence with Google. Though I had made a mistake, I should have tested Firebase old site as well while testing new one.
After these two issues, I came back to Firebase and found a critical CSRF where attacker can add user in any Firebase project.
Visiting the following link will add a user with email ‘email@example.com’ with password ‘hello12345.’
Visiting a web page with above link inside an image tag will add an external user to any Firebase application.
Since it was an API issue both new as well as old site were affected. Google said “Nice catch” at first, later they found out it is duplicate of an existing report. I missed this one by 1 or 2 days.
Lesson learnt “Never celebrate early and never get satisfied with work”.
Google VRP is one of the toughest and best vulnerability reward program out there, you’ll get the first update within 24 hours and payments are also good.
I also got a private VIP invitation for a “Invitation only program” in Vegas and a vulnerability research grant of $1337 to work on Google beta products and security research.
At the time of posting this, I’m ranked #63 worldwide on Google VRP (https://bughunter.withgoogle.com/profile/a2cfa278-404f-40f8-954e-c2b0428b5e82) .
If you have any questions, suggestion regarding this post or want to hire me – feel free to reach out on my Twitter.