HitB2012AMS: Killing a Bug Bounty Program ‐ TWICE

Oops! – A CC image by Neal.
By Itzhak ‘zuk’ Avraham (Founder, zimperium) & Nir Goldshlager (Senior Researcher, zimperium)

If you are trying to find bugs in standard services with standard tools, you will not ba able to success, because somebody else probably did it before you. This talk is about how to find the bugs other people did not find before you.

There are several bug bounty programs:
  • 1995 – Netscape
  • 2004 – Firefox
  • 2005 – ZDI
  • 2007 – Pwn2Own
  • 2010 – Google
  • 2011 – Facebook

First step to find good bugs which are worth a bounty is “Know you enimy”. Both the system you are trying to find the bug in and your fellow bug hunters.

Look for things like untested services and multi-vector vulnerabilities.

A good place to start is technology that was recently purchased by Google. New services are tested less then the established services. And last year, Google purchased about 1 company every week.

A lot of information about Google can be found via Google. E.g. the companies the recently took over and the error messages people got when they used Google’s services.

First new bug: Google Calander error based XSS

First the researcher created a calendar with the XSS payload into the calendar name. This is self XSS-ing. I only see it in my account, but Google allows you to share calanders. However, the XSS is only exploitable if the user deletes its calendar  1-5 times.

So how do we get a user to delete a calander? Calander SPAM. Send a user 100 calendar and he is bound to delete it multiple times. Google Analytics – Stored XSS In page analytics doesn’t escape incoming requests. How can this be used to own the web admins computer? Two creative ways:

  • In page analytics – When the user logins
  • Sharing – Infecting ourselves and sharing our analytics with the victim
Both attacks are demonstrated.

Google FeedBurner Stored XSS

The feed title in FeedBurger is susceptible to XSS. At first glance it is escaped, but the title is used in multiple places. E.g. the subscribe page (not vulnerable) and the unsubscribe (vulnerable via the are you sure dialog).

Can be exploited in two ways:
  • Target subscribes and unsubscribes
  • Spamming an unsubscribe link
Google FriendConnect error based XSS

The XSS is not in the friend option, but in the delete/unfriend option. So we need to force the user to delete us as a friend.

  • Friend somebody
  • Spam the user so he hates us
  • User unfriends
  • XSS occurs in the confirmation dialog

Google Knol - Permission bypass

Normally a user can view an unpublished document, but if the user uses the Knol translator tool, the document is accessible with the (unlimited) privileges of the translator.

Google affiliate network – Stored XSS + Admin privileges

Two goals:
  • XSS an account
  • Gain Administrator privileges

First bug is simple. By changing the LinkId filed in the URL you can see and edit other people’s links. By editing the links you can execute XSS on other peoples accounts.

The second attack does not require XSS. The affiliate application allows you to manipulate the UserID and Email fields and change some other users email address. Awared with $3133,7 bounty.

Google Picnik – Local file inclusion

Picnik.com seems to be Secure.

By brute force the domain name vpn.picknik.com was found. It seems that by mistake somebody installed phpList and an old version as will , withdefault password. Using well know vulnerabilities it was possible to take over the entire server. Again awared with $3133,7 bounty.


It is not about 0-days, but:
  • Out of the Box thinking
  • Think difference
  • Information gathering
  • Mixed services
  • Permissions
Materials available from http://conference.hitb.org/hitbsecconf2012ams/materials/

Encore: Blogger HPP

An an encore, the guys demonstrated and HTTP Parameter Polution (it's not dead) attack to get administrator rights to any blogger account.


Itzhak Avraham (Zuk) is a Security Expert who has done a wide variety of vulnerability assessments. Zuk worked at the IDF as a Security Researcher. Proud Founder of zImperium, from the creators of ANTI (Android Network Toolkit). He’s a proud holder of a SVC card that is in the possession of elite researchers such as Matt Swich and really dislikes writing about himself in the third person. Zuk can be found on his personal hacking related blog at http://imthezuk.blogspot.com & on Twitter as @ihackbanme


Nir Goldshlager – Nir is a known security researcher with more than 12 years of extreme web applications assessments, Nir found many high vulnerabilities in every big-scale website that exists today (Google, Paypal, Ebay, Twitter, Amazon, etc), Nir also listed in Google Security Sustained Support for many bugs findings. Nir is a Senior Researcher at zImperium. Nir can be found on twitter @Nirgoldshlager and on his personal blog: http://www.nirgoldshlager.com


Not Published

0/1000 characters
Go Top