HOW I GOT GOOGLE’S HALL OF FAME?

Introduction

Hi everyone, In this article I am going to show you how i got google’s hall of fame by finding security vulnerability in one of their acquisition. So, let’s get started!

Initial Reconnaissance

So I started hunting on Google around 2 months ago. The first thing that i did initially is that i gather whole list of acquisitions(companies that are owned by a parent company) of Google. After that, I started hunting on one of google’s domain (let’s say privategoogle.com). Now the web application which i was testing was heavily relying on Artificial Intelligence. In my mind, i was thinking “Hmmm, maybe I should look for vulnerabilities that developer’s often forget” and after few minutes i think of the infamous “PixieFlood” attack.

What is PixieFlood Attack?

In simple terms, it is a vulnerability in which an attacker uploads a malicious picture/image that contains too many pixel. This causes a DoS(Denial of Service)Attack when the server tries to handle the image. Now, let’s continue our story.

How to test for this vulnerability?

1- Download the image file from here.

2- Upload this image to the website you are testing on.

3- If the website’s server gets timed out, it means that the server is vulnerable.

Back to story:

So, the web application has an upload profile picture functionality that basically allows users to upload an image for their profile. I tried to upload the pixieflood image and to my surprise the server got timed out!!! I was like:

I immediately reported this vulnerability to Google and after few week, I got my name in the Google’s Hall of Fame:

Conclusion

So, that’s it for this article. I hope you all learnt something new. Some of the important takeaways of this article are:

1- Follow the road less traveled.

2- Never afraid to fail.

3- Always try out new things.

Check out some of these amazing articles to increase your bug bounty skills:

Want to learn Account Takeover? I got you😉

Increase your cybersecurity skills!

Let’s meet in some another article, Till then:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store