Google Bug Bounty - The 5k Error Page

Well, this is going to be quite a short post ..

In January I was looking at some Google services hoping to find something worth a bounty. I came across https://login.corp.google.com which is nothing more than a simple login page (seems to be for Google employees themselves …)

login.corp.google.com Login Page

Every time the page is accessed, a new image from https://static.corp.google.com is loaded directly into the page. Nothing too fancy happening here hm?!

An example of such an image URL is https://static.corp.google.com/corpsso/images/PICT0004.jpg

Well, after trying some other things I thought provoking an error here is the best thing I can do: I accessed https://static.corp.google.com/corpsso/asd/ and the default Google 404 page appeared with one difference:

Special Google 404 Page

I found a feature!



Lets check out what this is about. The “Re-run query with SFFE debug trace” link pointed to https://static.corp.google.com/corpsso/asd/?deb=trace.

SSFE and XFE HTTP Request

Uff … That’s bad …



I was able to access internal debug information on static.corp.google.com by just adding “?deb=trace” to a 404 URL.

I saw the complete X-FrontEnd (XFE) debug trace and much more. I am still not sure what “SFFE” stands for but it seems that it’s something like a request engine in Googles backend that handles for example Bigtable Lookups. Bigtable is a “high performance NoSQL database service for large analytical and operational workloads”. For more information go here.

I was also able to view the SFFE response headers which indicate, that nothing was found …

SSFE Response Headers

In another section of the debug page I had access the complete Bigtable lookup flow which was performed due to my request (sorry for all the blacking):

Replicated Bigtable Lookup Flow

This flow contained table names and paths of different Bigtables which were queried because of my request. So basically I was able to access Google internal information like:

Internal IP of the server which was used for the query (I think ..) + its uptime

Name of the server (the name is actually a link which is not accessible from the Internet but seems to point to Google Borg clusters)

SFFE Request and Response Headers

XFE HTTP Request

Replicated Bigtable Lookup Flow

Service Policies

…

The page did not allow any user interaction and I haven’t found anything to “go deeper” into the system so i reported it right away.

It was my first bounty I got from Google!

Detailed Reporting Timeline

19/01/2017 – Initial report

20/01/2017 – Report triaged

20/01/2017 – Nice catch!

10/02/2017 – Google already fixed the issue but forgot to tell me … I contacted them asking for an update

19/02/2017 – Got a response, they implemented a short-term fix and forgot to sent my report to the VRP panel …

10/03/2017 – Got $5000 bounty

16/03/2017 – Google implemented permanent fix