Google did an Oopsie: a simple IDOR worth $3,133.7

A security researcher has detailed a simple flaw in Google Drive that enabled them to access other users’ private files and earn a $3,133.70 bounty in the process.
The issue, reported to Google in 2019, was an input-validation error that allowed them to change the ID of a targeted file in a request and gain access to it, even if it was private.
After reporting the flaw, the researcher noted that the initial response took a day, with Google triaging and escalating the report, and then another two days to confirm the vulnerability via its “Nice Catch!” message.
The researcher said they were subsequently inducted into the search giant’s Hall of Fame, and were surprised three weeks later to receive the sizable bounty payment.

Fast Feed