Hacking Google Cloud?
Every year Google celebrates the best security issues found in Google Cloud. This year we take a look at the 7 winners to see if we could have found these issues too. Will I regret not having hacked Google last year?
This video is sponsored by Google VRP:
Follow GoogleVRP Twitter: / googlevrp
The GCP Prize Winners of 2022:
security.googleblog.com/2023/...
1. Prize - $133,337: Yuval Avrahami unit42.paloaltonetworks.com/g...
2. Prize - $73,331: Sivanesh Ashok and Sreeram KL blog.stazot.com/ssh-key-injec...
3. Prize - $31,337: Sivanesh Ashok and Sreeram KL blog.stazot.com/auth-bypass-i...
4. Prize - $31,311: Sreeram KL and Sivanesh Ashok blog.geekycat.in/client-side-...
5. Prize - $17,311: Yuval Avrahami and Shaul Ben Hai www.paloaltonetworks.com/reso... Talk: • Trampoline Pods: Node ...
6. Prize - $13,373: Obmi obmiblog.blogspot.com/2022/12...
7. Prize - $13,337: Bugra Eskici bugra.ninja/posts/cloudshell-...
Previous Winners:
GPC Prize 2019: • $100k Hacking Prize - ...
GPC Prize 2020: • Hacking into Google's ...
GPC Prize 2021: • Could I Hack into Goog...
Chapters:
00:00 - Intro
01:28 - Python Command Injection (Prize 7)
03:01 - XSS, CSRF and NEL Backdoor (Prize 6)
07:04 - Excessive Permissions in k8s DaemonSets (Prize 5)
09:13 - SSRF auth Authorization Token (Prize 4)
10:46 - OAuth Issue (Prize 3)
12:07 - SSH authorized_key Injection (Prize 2)
14:45 - Kubernetes Engine Privilege Escalation (Prize 1)
18:11 - Discussing the Winner
19:25 - What did I learn from the GCP 2022?
20:51 - Outro
=[ ❤️ Support ]=
Get my handwritten font shop.liveoverflow.com (advertisement)
Checkout our courses on hextree.io (advertisement)
Support these videos: liveoverflow.com/support/
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
2nd Channel: / liveunderflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Streaming: twitch.tvLiveOverflow/
→ TikTok: / liveoverflow_
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
Пікірлер: 155
"Yep, I regret not hacking xyz" is something I tell myself everytime i see a writeup on the internet for anything :(. If only there was a easy way to fix my laziness/procrastination
@Timm2003
11 ай бұрын
If u found a way pls let me know 😑
@Nunya58294
11 ай бұрын
It's called don't be an idiot.
@nabilrise1551
11 ай бұрын
isn't that our biggest enemy ... our own procrastination
@Maxjoker98
11 ай бұрын
Amphetamines. Cocaine. I'm kidding of course, these are at best short-term motivators. If you want to adopt a new behavior intentionally, one of the most important things is long-term motivation. You need to think "If only I did X, I'd be a little closer to goal Y", where Y is a goal that you can reach by continuously working on X.
@whannabi
11 ай бұрын
@@Maxjoker98Adderall, Xanax. I'm not kidding tho. Just kidding ha ha...!
Its always funny seeing some of the vulnerabilities in these bugbounties are so simple its baffling. "ah that would never work its so simple those engineers probably have 20 checks on it" Hindsight 2020 i guess after the fact
@kyle8575
11 ай бұрын
Obviously outsiders can’t comment on the work environment, but if I had to guess it’s like this. 1) Google wants a new feature 2) Timeline is really short or engineers take their sweet time to procrastinate then rush it out 3) Lacks proper checks and review 4) Goes to production
@Golden2Talon
11 ай бұрын
yeah i always hear what kind of amazing engineer you have to be to work at FAANG and I guess 100 PhDs will block everything I do.... then I see this
@jeffwells641
11 ай бұрын
I think it's more likely just the fact that they are always trying to improve, and therefore always changing. The more you change, the more likely it is someone will make a mistake or two systems will interact in a way that will open one or the other up to a vulnerability that was formerly not possible. That's why the Google Cloud hacking competition is brilliant - for about the cost of a single software engineer, Google gets thousands of talented individuals discovering weaknesses in their system, most of which a Google engineer can then fix in like 5 minutes.
@amunak_
11 ай бұрын
It's also just that there's just *so much code* and *so many people* that things slip through easily.
@MegaTomPL2
11 ай бұрын
its like puzzle
I think it is wonderful that Google is paying for third party research, made publicly available, not "just" bug hunting.
@mollthecoder
10 ай бұрын
It's better to pay a few thousand for a bug to be responsibly disclosed then it be used maliciously and potentially cause millions in damage
@test-rj2vl
10 ай бұрын
@@mollthecoder Yep, that is true. If they don't pay, someone else will.
@monad_tcp
8 ай бұрын
I don't think they are either bug hunting or doing user experience or anything on GCP because ITS AWFUL, that's why its cheaper than AWS or Azure
@monad_tcp
8 ай бұрын
@@mollthecoder " potentially cause millions in damage" is anything serious using GCP ?
I'm very surprised. At least 2 of these bugs could have been found by using a very basic bad-string library on the APIs arguments.
@ALZlper
11 ай бұрын
As long as you see this fix as a swiss cheese slice
Love how all of the prizes are variations on 1337.
@chill_melodies
11 ай бұрын
all Google bounties have 1,3 and 7 always
It would be an interesting video idea if you film the process of finding an actual vulnerability in something like Google cloud (if you actually manage to find one). Which you can release once the party has had time to fix it. It would give a more real world example of how you go about finding vulnerabilities that isn't just capture the flag.
@expandingsalad786
11 ай бұрын
I don't remember which videos specifically, but I'm 99% sure he's done almost exactly this
@justind4615
10 ай бұрын
@@expandingsalad786 can you name me 1 video pls
Was exposed to Kubernetes Clusters in my work. I think, there is still unbelievably many bugs, we have no idea of. The more complex your cluster the higher the chance, that there is a misconfiguration. The juciest ones being at egress and ingress nodes (apart from the master node). Builing up your patience for it might be very fruitful! ;) And thank you of course for you insanely valuable content!
Finding bug bounties at this level is like panning for gold.
I don't know if it's just me, but these prizes seem absurdly low for what they're worth. And also considering software engineers at google get salaries in the range of hundreds of thousands per year, the reward is like what, a few weeks of pay for one of their employees? The first two prizes are more "worth", but even those are low compared to their value. It makes you wonder how many people find such exploits and instead of turning them in they'd rather sell them on the black market.
@LiveOverflow
11 ай бұрын
This is just a bonus on top of the regular bounty reward ;)
@stewiegriffin6503
11 ай бұрын
@@LiveOverflow Yes, bonus to yearly 100 $
@AGryphonTamer
11 ай бұрын
@@stewiegriffin6503 $100? Where did you get that number? Google paid an average of $11k per vulnerability of chrome. And they paid out 12 million this year. A few rewards even going for hundreds of thousands.
@NoNameAtAll2
11 ай бұрын
@@LiveOverflowhow big is "usual bouny reward"?
@AGryphonTamer
11 ай бұрын
Google paid an average of $11k per vulnerability of chrome. With some going for hundreds of thousands. Even for software engineers that's not nothing. It's profitable people are building teams to find bugs, and Google paid out over 12 mill this year. Now let's say you're a skilled software engineer, and you find a vulnerability. Would you rather take your chances on the black market, where you'd be breaking the law, risk losing your job, getting arrested, and have no guarantee of getting paid, or get paid a not insubstantial (if not massive) amount 100% legally. I know what I'd pick.
This is so cool. I just recently discovered your channel and you are already in my top 3 favorites. You inspire me so much to keep learning new things and experimenting with new technologies.
Proud of Yuval's incredible work and findings 🙌
One clarification, don't use the phrase "PODs or containers" because first they are not the same thing, and for a bit of extra knowledge, PODs can have multi-containers inside of them. Love your work, keep it up!
@oblivion_2852
11 ай бұрын
True but normally people referring to the other containers in a pod will be referring to a sidecar or init container.
Congratulations to all the winners!
Wow, great video! You should definitely try next year!
I really enjoy watching your videos; they motivate me to keep studying.
Really interesting, thanks for the upload.
Thanks for this nice content. So surprised with Ssh key injection, is crazy.
The payout structure is a play on leet right? Didn't realize that was still a thing
Daaaamn if a team can win 4th to 2nd place does it mean there could be a team that would win all 7 places? (I know it's next to impossible, but I wonder what would it take)
@coldfire6869
11 ай бұрын
Let's find out. When are you free?
@Freakinkat
11 ай бұрын
It's not impossible
@Freakinkat
11 ай бұрын
@@coldfire6869yeah you got the right attitude, In good at Social engineering :D
@whannabi
11 ай бұрын
Think bigger : a whole company.
@Freakinkat
11 ай бұрын
@@whannabi I'm dead ass serious, over here! I'm down AF! Y'all just lemme know what's up, we can link up then delete our post to ditch any evidence "Just in case there be lurker's" thank goodness for hiding in plain sight, it's a beautiful thing, truly it is.
You are great as always, thanks!
Great Ed Sheran teaching us about hackin
Hey man I love the work you do the breakdowns are incredible. Really loved the description of Sockpuppet and wondering if you’d do more with iOS/xnu. The FORCEDENTRY (Triangulation) vulnerability is very intriguing (zero click) and I’m still purposefully in the cross hairs on iOS 14.2. Would you please look into these CVE to see if there is a potential video for the channel and us viewers? RCE with no interaction from a user 😱
It’s so crazy hearing the theme tune for liveOverflow for ages and then realise it’s by Gunnar who I just saw with Puscifer! How crazy
I laughed a lot at every recap saying "We'll see if I regret" :D
"But, time issues can be solved with just, spending more time..." -LiveOverFlow @ 20:27
That's fucking genius with the image drag n drop.. good lord.
Sorry for offtop but...from the security researcher perspective, what do you think about passkey?
love how all the prize money is variations of 1337
Is the entire video an advertisement? because the text stays in the top right corner the entire time
@LiveOverflow
11 ай бұрын
well the video was sponsored by Google. So I should probably clearly and transparently disclose that ;)
Can you make a video how dangerous extensions are (Browser, VSC)? I think its quite hard to find sources on that that are not like "its really dangerous" but yet everyone uses them.
i admit i tried the command shell last year but at the end i just didnt continue...damn....this year i proposed myself to learn more abour kernel windows, and stuff, but i think i must dedicate some time to google
Good video.
Good to see "Buğra" here, he's a teenager from Turkey, I saw his video on "Google Cloud OS Command injection" but didn't know he won the prize. Let the 'mdisec' community rise.
What's up with the "Advertisement" hanging out at the top right corner for the entire duration of the video?
@AGryphonTamer
11 ай бұрын
The entire video was paid for by Google, and google used it on their own page. So it kind of makes sense to declare it.
I might have found that last SSH problem by mistake when typing my username, but I was too busy to care.
I honestly think 100k is not enough for finding these bugs. consider how large google is.
@AGryphonTamer
11 ай бұрын
This is just a bonus prize. Google paid 12 mill in bounties this year, Some going for hundreds of thousands.
Why does the video say `advertisement` in the top all through the video?
@LiveOverflow
11 ай бұрын
it's a sponsored video, so I want to transparently disclose this
@skifli
11 ай бұрын
@@LiveOverflow Oh ok that makes sense, thanks.
Hy I am from Pakistan and stuck in a question, I just want to know how x86-64 Architecture processor know what is the required privilege level of the instruction or what privilege required to execute fetched command or with what it should compares CPL when executing the command. I Hope you will understand my question and respond to architect security enthusiast like you. Thanks
why to ssh in the browser?
We will see,, *5 years later:* We will see
Hello there fellow VRP Hall of Famers! 😅 Although I don't think they label us as HoF anymore though.
noice!
so gr8
Organisations, developers should learn from google :)
Why is the 6th place prize money at 3:14 displayed as 13,373$ when it could have been much cooler as 13,337$?
@hansmuds6018
11 ай бұрын
Because 7th place was 13,337$ already
@dani33300
11 ай бұрын
@@hansmuds6018 True. Should have been 13333.37$ to avoid this issue.
fell victim of one of those oauth thing a long time ago
This month I reported 2 bugs in Google products, both were Triaged, 1. P4 to P3 2. P2 . But they came with final result that, they want some serious impact on that..still working on those and one more I reported few days ago which sleep SQLI injection.. hope this one will get Triaged and will get my reward 😢 also had one bug which was Triaged, more than 2 months ago in Microsoft, they are taking so much time.
Daemon set trampolines...
Google's product naming is so confusing. Is this Google Cloud as in Drive and Docs or Google Cloud as in GCP? And what is Google One and where did that suddenly come from??
@molinodealfonsoaceitesalfo5175
9 ай бұрын
Nowadays Baidu Servers
LETSS GOO!
Kudos to Google for doing this, and for the researchers for participating
Please make bypass biometric security
@poglin_or_smh
11 ай бұрын
Plastic surgery
@kmcat
11 ай бұрын
Finger print scanners are easy and sometimes messy
@Capiosus
11 ай бұрын
gj u are first
Push!
Google should write more code in rust. 😂
5:20 wtf. Literally.
i use it as a ide
Sreeram KL ♥
Leet bounties.
I work for big tech and I knowingly introduce zero day exploits.
@universaltoons
11 ай бұрын
😱
130k for god knows who much time, is a bad pay. A good security engineer who goes freelance will turn that over in a year, here in NL and D. And unlike bug bounties this income js a continuous income source.
@LiveOverflow
11 ай бұрын
The winner did this work as an employee at paloaltonetworks. So this is just an extremely juicy bonus ;)
@CallousCoder
11 ай бұрын
@@LiveOverflow then it’s nice yeah 😄Until Der Steuerambt drops by I heard that in Germany it’s also as bad as here in NL these days. With the governments basically stealing income from its citizens without proper representation. 😏
@AGryphonTamer
11 ай бұрын
This is just a bonus prize. Google paid 12 mill in bounties this year, Some going for hundreds of thousands. So that top prize probably made them 800-900k.
@CallousCoder
11 ай бұрын
@@AGryphonTamer my point is that it’s not a guaranteed income and also pays relatively poorly. You can hunt for months and only land 17k. Where’s of your are that good in security work and you do hire yourself out you’ll earn that guaranteed in a month. If you do it as a hobby next to your job it’s okay. But I’ve heard of kids trying to do this to pay for college. Than it’s a poor investment of your time.
FYI These are just bonus prizes. Google pays hundreds of thousands for top bounties, this is just extra.
Can you do a video on deleting Google drive. This guy I used to date keeps gaining access to my computer and phone and I can't get help bc he's an expert. The police literally don't do anything because they don't understand... Please post a video on this.
why do pentesters have the most random accounts?
@nkazimulojudgement3583
11 ай бұрын
Anonymous
@rickmonarch4552
11 ай бұрын
@@nkazimulojudgement3583 why would white hat be anon
👋
Makes me wanna take out KCAD away from my resume.
I was always wary of cloud console from the day i used it and keep telling myself how many bugs that would have. You know that weaknesses under the hood but nevertheless you use it because it is convenient and lazy. What socked me is how secure SLDC practices, pentests etc can not find such major holes
I was SOOOO MF CLOSE!!! SOO FLIPPING CLOSE!!!!!!!!!! Meh :|
@LiveOverflow
11 ай бұрын
Ohh what? Tell me more!
I dont know how i would owe $100
Feels weird seeing such high payouts for the kind of stuff I find at work on a weekly basis
@fr5229
11 ай бұрын
Doubt it
@Mordinel
11 ай бұрын
@@fr5229 not the last one, not without a team. Most of these bugs are quite simple all things considered, very reminiscent of stuff I find at my day job.
@sudhanshurajbhar9635
11 ай бұрын
Finding the same bug at Google is a different thing than any random xyz target.
@Mordinel
11 ай бұрын
@@sudhanshurajbhar9635 Did you even watch the video?
Honestly, I didnt understand so many things in this video. This gives me Imposter Syndrome. I should develop myself!
why are those prizes all weird numbers? lol
@tanmaypanadi1414
11 ай бұрын
Google likes thier 1, 3 and 7
let us hold a minute's silence for the 7 poor people who lost their jobs
o.O
Thankfully, you didn't participate; otherwise, no one will have won.
Wanna get off google cloud.. Can you do a video explanation on how you can make the copy of your data that they send back to its original file type?
regarding small rewards, I would rename the contest to "Google's annual intellectual prostitution awards".
*Promo sm*
First
@ees4.
11 ай бұрын
not
Russian
That's the problem with IT today. People will do anything for few dollar or little bit fame. Real businessman would never give this info for free or cheap.
that thumbnail is garbage, this videos was easily a 200k view one with a better thumbnail
@LiveOverflow
11 ай бұрын
Make me one pls
Sprichts du Deutsch...?
I am certain with his knowledge, LiveOverflow could get a job paying the equivalent of $133k. It seems he does not and chose a job that brings him more joy. I respect that
How can you hate kubernetes. It's just awesome :D
So now Ed Sheeran is a tech expert?
I just got a motivation that if a google can have basic issues, i can find them too in hackerone programs. :( ultimately i struggle to focus because i just want a quick win :(