Background Image

Blog Post

Nov 13

Google's Bounty Hack

Mashable mentioned in an article, that Google is looking for hackers to participate in their challenge. The goal is of course to pay out $1000 in addition to the reward from any given app exploited and reported. To quote the article: "Here's how it works. If you find a security vulnerability in one of the participating apps, you can report that vulnerability to the developer, and work with them to fix it. When the problem has been resolved, the Android Security team will pay you $1,000 as a reward, on top of any reward you get from the app developer."
As an example of what they might expect - I'll offer the following: Dropbox


Here is dropbox's github where you can find the api tools. Their API Explorer, where you can find example apps. and a tutorial on using beef that could possibly be used to trick someone into a second sign in, which would log their data and potentially exploit their entire google account.

Scrape Vs PWN

Now the question becomes, can you integrate one such tool with the other so that you aren't just sending someone an exploit link through dropbox? It depends very much on what sort of application the API credentials let you build. On the one hand it should be possible to add in some kind of native scraping tool via beautiful soup, or maybe some other python library. But is that easier than building in a Java exploit? There are too many ways to technically do something like this.



Wait A Second There Are Laws Aren't There?

Granted some of these tutorials may make it sound like we're talking about designing a vector to actually exploit the users of the service. These specific vectors may not be easy to incorporate into the API of Dropbox, maybe Tinder? The thing you have to consider is that Google wants you to try to do it. They actually need the improved security that intentional hacking provides, and along with it the Proof Of Concept, and the fix.
So really what you are looking at is $1000+ dollars to create documentation of some scripting, and a working example, and a remedy. This begs another question, why only $1000 + whatever the app pays? 

Probably to only have to pay out what they anticipate.

Aside from there being countless ways someone could go about doing these things, and countless people who could already be doing these things, there are also plenty of ways to prevent such exploits already under development. At $1000 the style of hackers who will be attracted to the bounty are a control group of sorts, but that's speculation on my part. I'd guess that really Google wants to see if anyone will try a vector they didn't anticipate, but for $1000 who knows if anyone would.
You Really Only Get What You Pay For - Slightly Less At A Bake Sale

If an API can be scripted with minimal fuss, the first wave of exploits will be based on whatever tools can be imported into that same script. At least, that's what conventional thinking would suggest. Other possibilities include: "faked credential apps," with unwarranted permissions and offers of "automatic followers" or something similar on tinder or instagram... makes you want to double check for your apps authenticity doesn't it? After all someone out there does all of the this for free + the sweet reward of all of your data. Go clear those cookies and add another few letters to you password... lol

Add Comment:
Please login or register to add your comment or get notified when a comment is added.
1 person will be notified when a comment is added.