$10k host header

On July 11th, I was bored, so I tried to find some bug at Google.
I tried a lot of things in many Google services, one of those things was changing the Host header in requests to the App Engine server (*.appspot.com) in order to get access to some internal App Engine apps (*.googleplex.com) that usually require going through the MOMA login page (Which acts as a proxy called "ÜberProxy"). I used Burp because it was easier to change the Host header quickly and to see the result.

Something like this

Most of my attempts failed, either because the server returned a 404 Not Found, or because it had some security measure such as checking that I used a Googler account ("username@google.com") instead of a normal Google account.
But one of the websites I tried, "yaqs.googleplex.com", didn't check my username, nor had any other security measure.

The website's homepage redirected me to "/eng", and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before I visited any section, I read something in the footer: "Google Confidential".

At that point I stopped poking at the website and reported the issue right away, without even thinking of a better way to show the vulnerability than with Burp (An easier proof of concept would've been writing this on a terminal: curl -k "https://yaqs.googleplex.com" --resolve "yaqs.googleplex.com:443:172.217.28.180").
This was the report Google received:

Summary: Google confidential page accessible from the outside by requesting it to App Engine directly

Steps to reproduce (Using Burp Suite):
1. Go to the Repeater tab
2. Set the target host to "www.appspot.com", the target port to "443" and check the "Use HTTPS" option
3. Write this raw HTTP request (Including the last two empty lines):
GET /eng HTTP/1.1
Host: yaqs.googleplex.com


4. Click "Go"

Attack scenario:
Anyone can access an internal Google website called YAQS that says "Google Confidential" in the footer.
I'm not sure what it is, I only accessed the homepage (Despite really wanting to take a look around), you can check the request logs (Should be the only one accessing from Uruguay, with IP address <REDACTED>).

Warnings shown:
likely_out_of_scope


Just a few hours after my report, the security team went through my report and confirmed it was valid.

I thought to myself "Cool, this is probably a small thing that isn't worth a dime, the website probably had some technical stuff about Google servers and nothing really important".
I don't know what did the website contain, but some weeks later I got an email right after getting out of school that said my report was worth much more than a dime...


So... I got $10,000 US dollars just for changing the Host header!!!

The bug has been fixed now, and, according to Google, the large reward was because they found a few variants that would have allowed an attacker access sensitive data.

Timeline (UTC-3)

July 11th, 10:13 AM - Initial report
July 11th, 02:44 PM - Report triaged
July 11th, 04:46 PM - Nice catch!
August 4th, 12:55 PM - Reward issued
August 5th, 05:07 PM - Out of curiosity, I asked why the reward was so large, and also if it was fixed and I could talk about it publicly
August 9th, 05:37 AM - Google replied

Reporter

I am an Uruguayan high school student wanting to become a security researcher, you can send me an email to eze2307@gmail.com if you have any comments or questions.
Comments