Google Rewards 2 Indian Hackers; Know Why

New York: New York: Google has rewarded two Indian hackers for reporting vulnerabilities in four Google Cloud Platform (GCP) projects.

Google gave Sreeram KL and Sivanesh Ashok $22,000 (around Rs 18 lakh) as bug bounty, which is given by tech giants to individuals who detect an error or vulnerability in their computer programme or system.

The hacker duo’s biggest bounty was machine learning training and deployment platform Vertex AI, which earned them a pair of $5,000 payouts for a server-side request forgery (SSRF) bug and patch bypass, The Daily Swig reported.

Sivanesh explained the bug and how they came across vulnerabilities in GCP in his personal blog ‘Geeky Cat’.

“A write-up about how Sreeram KL and I found a bug in Google Cloud that allowed us to take over a victim’s compute engine VM,” Sivanesh wrote on Twitter.

“The flaw resided in Vertex AI’s workbench feature, which enables the creation of Jupyter notebook-based development environments on the cloud,” Sreeram said in his blog.

What Is SSRF Bug?

SSRF is a web security vulnerability which allows an attacker to induce the server-side application make requests to an unintended location.

The attacker may cause the server to make a connection to internal-only services within the organisation’s infrastructure. The attacker may also be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials.