Itzhak ‘Zuk’ Avraham (Founder, zimperium) & Nir Goldshlager (Senior Researcher, zimperium)

PRESENTATION TITLE: Killing a Bug Bounty Program – TWICE

PRESENTATION ABSTRACT:

In the past, researchers who reported security-bugs feared that the companies affected wouldn’t take this report in a positive way, and could have possibly run into legal issues with that vendor. This has changed when vendors started crediting researchers (Microsoft and others) for finding bugs (and it’s considered an honor), and now, paying for discovered bugs is almost a standard (Mozilla, Google, Facebook and others).

With this in mind, we decided to assess Google and analyze what kind of bugs the all-mighty Google would suffer from. We’ve spotted and observed tens of security gaps which could have been used to attack a targeted person who’s using Google’s services (who doesn’t?), or remote attacks that could be used to gain elevated permissions in Google’s services (people’s life projects could have been ruined by crafting a few packets).

We did a background check on Google’s services and decided where we want to assess first based on our instincts and previous experience with similar systems. We checked what Google had acquired (http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google) and analyzed the odds of finding security gaps in each  of these services. After multiple assessments and checks, we gained a much better understanding of what they are missing during internal security reviews and focused on those aspects. Like mentioned above, approximately 100 bugs were reported, including many which we classified as critical bugs that could allow a malicious user to take control over your account – without your approval.

In this presentation we will present the key aspects of assessing such bounty program and focus on most interesting and complex bugs found. In addition, exclusively for HITB attendees, we will introduce new bugs that were never discussed/shown before.

ABOUT ITZHAK ‘ZUK’ AVRAHAM

Itzhak Avraham (Zuk) is a Security Expert who has done a wide variety of vulnerability assessments. Zuk worked at the IDF as a Security Researcher. Proud Founder of zImperium, from the creators of ANTI (Android Network Toolkit). He’s a proud holder of a SVC card that is in the possession of elite researchers such as Matt Swich and really dislikes writing about himself in the third person. Zuk can be found on his personal hacking related blog at http://imthezuk.blogspot.com & on Twitter as @ihackbanme

ABOUT NIR GOLDSHLAGER