Top-tier payout for Google App Engine flaw that enabled access to hidden APIs

An 18-year-old Uruguayan student has received more than $36,000 from the Google Vulnerability Rewards Program, after he alerted developers to a remote code execution (RCE) bug in the Google App Engine (GAE) web framework.

Playing around with a non-production GAE deployment environment, Ezequiel Pereira came up with a new method to reveal which websites are running on GAE – Google’s web framework and cloud computing platform for hosting web applications.

After discovering that appengine.google.com itself runs on GAE, Pereira started looking for ways to access the “API, interface, or something only available to applications” run by Google.

In his write-up, Pereira demonstrates how he was eventually able to find numerous remote procedure calls (RPCs) for appengine.google.com, including one named "stubby".

“I had already seen ["stubby"] mentioned before in error messages from some Google products… so I knew it was a RPC infrastructure, and it might be a way for appengine.google.com to perform internal actions,” he stated.



While Pereira initially could not find a way to access the "stubby" RPC in the production GAE deployment environment, he leveraged another bug (which accounted for $5,000 of the bounty) that enabled him to enter Google’s internal staging and test environments.

This was the final piece of the puzzle, as the more relaxed security of these environments granted access to the "stubby" RPC server, which returned a “nice rpc.ServiceList listing all the services (and their methods) the target supports”.

“After discovering this, I did some testing, but I was not able to find any "stubby" call that I considered dangerous,” he said. “Nevertheless, I reported this to Google and it got a P1 priority.”

Interestingly, following the initial report, Pereira pulled focus on another argument he received from his Java launcher binary named app_config_service, which could allow anyone with access to change application configuration settings directly on the endpoint.

“After discovering this, I reported the new findings to Google and they bumped the priority of the internal ticket,” he said. “I was not aware until then that this was regarded as remote code execution (the highest tier for bugs).”

While Google provided little details surrounding the flaw, a reward panel member told Pereira: “It is RCE for the way Google works”.

This comment, along with the huge bounty handed to the researcher, suggests the bug could have enabled an attacker to read files, open connections, or perhaps even carry out reconnaissance on the tech giant’s own internal network.

Regardless of the possible ramifications, the vulnerability has been fixed, with Pereira now $36,337 richer.

“It was a very pleasant surprise,” he said, after receiving news of the five-figure bug bounty payout.