Hi everyone, In this article I am going to show you how i got google’s hall of fame by finding security vulnerability in one of their acquisition. So, let’s get started!
So I started hunting on Google around 2 months ago. The first thing that i did initially is that i gather whole list of acquisitions(companies that are owned by a parent company) of Google. After that, I started hunting on one of google’s domain (let’s say privategoogle.com). Now the web application which i was testing was heavily relying on Artificial Intelligence. In my mind, i was thinking “Hmmm, maybe I should look for vulnerabilities that developer’s often forget” and after few minutes i think of the infamous “PixieFlood” attack.
What is PixieFlood Attack?
In simple terms, it is a vulnerability in which an attacker uploads a malicious picture/image that contains too many pixel. This causes a DoS(Denial of Service)Attack when the server tries to handle the image. Now, let’s continue our story.
How to test for this vulnerability?
1- Download the image file from here.
2- Upload this image to the website you are testing on.
3- If the website’s server gets timed out, it means that the server is vulnerable.
Back to story:
So, the web application has an upload profile picture functionality that basically allows users to upload an image for their profile. I tried to upload the pixieflood image and to my surprise the server got timed out!!! I was like:
I immediately reported this vulnerability to Google and after few week, I got my name in the Google’s Hall of Fame:
So, that’s it for this article. I hope you all learnt something new. Some of the important takeaways of this article are:
1- Follow the road less traveled.
2- Never afraid to fail.
3- Always try out new things.
Check out some of these amazing articles to increase your bug bounty skills:
Let’s meet in some another article, Till then: