Technology giant Google has rewarded two Indian hackers- Sreeram KL and Sivanesh Ashok more than $22,000 (around Rs 18 lakh) for reporting vulnerabilities in four Google Cloud Platform (GCP) projects as a bug bounty.
Bug bounties are given by major tech companies to individuals who detect an error or vulnerability in their computer program or system.
The biggest bounty for the hacker duo was machine learning training and deployment platform Vertex AI, which netted them a pair of $5,000 payouts for a server-side request forgery (SSRF) bug and subsequent patch bypass, reported The Daily Swig.
Sivanesh Ashok also posted a blog explaining the bug and how they came across the vulnerabilities in the Google Cloud Platform projects in his personal blog ‘Geeky Cat’.
Taking to Twitter Sivanesh wrote, “A write-up about how Sreeram KL and I found a bug in Google Cloud that allowed us to takeover a victim’s compute engine VM.”
“The flaw resided in Vertex AI’s workbench feature, which enables the creation of Jupyter notebook-based development environments on the cloud,” said Sreeram in one of his blog.
SSRF Bug
SSRF also known as server side request forgery is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
In a typical SSRF attack, the attacker might cause the server to make a connection to internal-only services within the organization’s infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.
