Wednesday, April 17, 2024
HomeBig DataGoogle Cloud Awards $313,337 in 2022 VRP Prizes

Google Cloud Awards $313,337 in 2022 VRP Prizes


2022 was a profitable 12 months for Google’s Vulnerability Reward Packages (VRPs), with over 2,900 safety points recognized and glued, and over $12 million in bounty rewards awarded to researchers. A big quantity of those vulnerability reviews helped enhance the safety of Google Cloud merchandise, which in flip helps enhance safety for our customers, prospects, and the Web at giant.

We first introduced the Google Cloud VRP Prize in 2019 to encourage safety researchers to give attention to the safety of Google Cloud and to incentivize sharing data on Cloud vulnerability analysis with the world. This 12 months, we have been excited to see a rise in collaboration between researchers, which regularly led to extra detailed and sophisticated vulnerability reviews. After cautious analysis of the submissions, at this time we’re excited to announce the winners of the 2022 Google Cloud VRP Prize.

2022 Google Cloud VRP Prize Winners

1st Prize – $133,337: Yuval Avrahami for the report and write-up Privilege escalations in GKE Autopilot. Yuval’s wonderful write-up describes a number of assault paths that might permit an attacker with permission to create pods in an Autopilot cluster to escalate privileges and compromise the underlying node VMs. Whereas these VMs are accessible to prospects in GKE Normal, this analysis led to a number of hardening enhancements in Autopilot that make it a greater secure-by-default Kubernetes providing.

2nd Prize – $73,331: Sivanesh Ashok and Sreeram KL for the report and write-up SSH Key Injection on GCE. Their write-up describes the journey of discovering a vulnerability that might permit an attacker to achieve entry to a person’s GCE VM by tricking them into clicking a hyperlink. They display the significance of persistence and turned a wierd habits in person creation into an injection of arbitrary SSH public keys.

third Prize –  $31,337: Sivanesh Ashok and Sreeram KL for the report and write-up Bypassing Authorization in Cloud Workstations. Their write-up describes their analysis course of for analyzing Cloud Workstations after which a full-chain exploit to steal a person’s entry token by abusing the format of an OAuth state parameter.

4th Prize – $31,311: Sreeram KL and Sivanesh Ashok for the report and write-up Consumer-Aspect SSRF to Google Cloud Undertaking Takeover. Their write-up combines a client-side SSRF, a CSRF bypass, and a intelligent 3xx redirect by “deactivating” a Feedburner proxy. An attacker may use this vulnerability to steal a Vertex AI person’s entry token by tricking them into clicking a hyperlink.

fifth Prize – $17,311: Yuval Avrahami and Shaul Ben Hai for the report and write-up Kubernetes Privilege Escalation: Extreme Permissions in In style Platforms. Their whitepaper covers privilege escalation vectors in Kubernetes and describes vulnerabilities in lots of Kubernetes internet hosting suppliers, together with Azure’s AKS, Amazon’s EKS, and GKE.

sixth Prize – $13,373: Obmi for the report and write-up A Few Bugs within the Google Cloud Shell. Obmi found vulnerabilities within the Cloud Shell file add performance that might have allowed an attacker to put in writing arbitrary recordsdata to a person’s Cloud Shell by way of cross-site request forgery.

seventh Prize – $13,337: Bugra Eskici for the report and write-up Command injection in Cloud Shell. Bugra discovered a really curious injection level in a Cloud Shell script that led to a URL question parameter being immediately injected right into a Python script. This vulnerability would have given an attacker arbitrary code execution in a person’s Cloud Shell in the event that they clicked on an attacker-controlled hyperlink.

Congratulations to all of the winners and pleased hacking! Observe us on @GoogleVRP for future information and updates.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments