Six profitable write-ups ranged from id administration points and privilege escalation to ‘full blown RCE’
Utilizing an inner model of the Google Cloud Platform (GCP) service, Uruguayan researcher Ezequiel Pereira managed to subject requests to inner endpoints through Google’s international software program load balancer, as set out within the technical write-up that clinched the highest prize.
This was a major enhance on the $100,000 prize handed out for the inaugural Google cloud safety competitors, launched in 2019 to bolster the safety of the myriad GCP services used to construct Google merchandise.
Whereas 2019 had a single victor, Google additionally awarded money prizes, on a sliding scale, for the subsequent 5 most compelling submissions.
‘King of GCP bug searching’
Pereira mentioned he was “shocked” on the information.
“I believe every one of many profitable write-ups is a tremendous showcase of Google Cloud safety analysis, which different researchers might later base [their own research] on, and I hope to see extra wonderful write-ups come out in 2021,” he advised The Every day Swig.
“I don’t but have any plans for probing GCP or another platform in 2021, though I’ll concentrate on Fb since I’m going to work there as a safety analyst for his or her Whitehat program.”
Pereira has all the time been “the true king of GCP bug searching, and now he has been topped by the Google VRP staff,” Wouter ter Maat, the competitors’s 2019 winner, advised The Every day Swig. “Superior and completely deserved!”
Common infosec video channel LiveOverflow, in the meantime, has printed an interview with the winner to coincide with the announcement:
Make it rain
In exploiting the flaw within the service’s uptime verify, the researcher managed to reveal “project-level” metadata together with the general public SSH key and undertaking title, and “ instance-level” metadata like machine kind and CPU platform.
The identical money prize was earned by third-placed analysis duo Dylan Ayrey and Allison Donovan for locating privilege escalation paths related to default permissions in GCP providers, and a write-up that – in distinction to their technically-focused Black Hat talk on the analysis – dissected the “political mechanics” and “trade-offs” concerned in addressing vulnerabilities.
In fourth place, Bastien Chatelard netted a $31,337 prize after capitalizing on shortcomings in Google Kubernetes Engine’s gVisor-based sandboxing function to access the metadata API.
Lastly, fifth and sixth place prizes of $1,001 and $1,000 have been respectively received by Brad Geesaman for his ‘ContainerDrip’ analysis through which ctr/containerd was duped into leaking registry credentials, and Chris Moberly for attaining privilege escalation in GCP’s OS Login.
‘Broad number of bug courses’
“2020 turned out to be an amazing year for the Google Vulnerability Reward Program,” mentioned Google in a blog post printed yesterday (March 17). “We obtained many high-quality vulnerability experiences from our proficient and prolific vulnerability researchers.”
Having learn the entire profitable write-ups, Wouter ter Maat famous a rise in requirements and the variety of submissions in comparison with 2019, when he claimed the only real prize courtesy of a quartet of Google Cloud Shell bugs.
“It’s nice to see that all kinds of bug courses” among the many winners, “starting from IAM points and privilege escalation to full blown RCE,” he mentioned. “These profitable articles may present future GCP researchers with a fantastic place to begin their very own analysis.”
Subsequent 12 months’s GCP prize will once more see judges select the six greatest write-ups of GCP vulnerabilities validated below the VRP, with prize monies additionally remaining the identical.
The deadline for submissions is December 31.
DON’T FORGET TO READ H2C smuggling named top web hacking technique of 2020