Hacking Google Cloud?
Вставка
- Опубліковано 11 чер 2024
- Every year Google celebrates the best security issues found in Google Cloud. This year we take a look at the 7 winners to see if we could have found these issues too. Will I regret not having hacked Google last year?
This video is sponsored by Google VRP:
Follow GoogleVRP Twitter: / googlevrp
The GCP Prize Winners of 2022:
security.googleblog.com/2023/...
1. Prize - $133,337: Yuval Avrahami unit42.paloaltonetworks.com/g...
2. Prize - $73,331: Sivanesh Ashok and Sreeram KL blog.stazot.com/ssh-key-injec...
3. Prize - $31,337: Sivanesh Ashok and Sreeram KL blog.stazot.com/auth-bypass-i...
4. Prize - $31,311: Sreeram KL and Sivanesh Ashok blog.geekycat.in/client-side-...
5. Prize - $17,311: Yuval Avrahami and Shaul Ben Hai www.paloaltonetworks.com/reso... Talk: • Trampoline Pods: Node ...
6. Prize - $13,373: Obmi obmiblog.blogspot.com/2022/12...
7. Prize - $13,337: Bugra Eskici bugra.ninja/posts/cloudshell-...
Previous Winners:
GPC Prize 2019: • $100k Hacking Prize - ...
GPC Prize 2020: • Hacking into Google's ...
GPC Prize 2021: • Could I Hack into Goog...
Chapters:
00:00 - Intro
01:28 - Python Command Injection (Prize 7)
03:01 - XSS, CSRF and NEL Backdoor (Prize 6)
07:04 - Excessive Permissions in k8s DaemonSets (Prize 5)
09:13 - SSRF auth Authorization Token (Prize 4)
10:46 - OAuth Issue (Prize 3)
12:07 - SSH authorized_key Injection (Prize 2)
14:45 - Kubernetes Engine Privilege Escalation (Prize 1)
18:11 - Discussing the Winner
19:25 - What did I learn from the GCP 2022?
20:51 - Outro
=[ ❤️ Support ]=
Get my handwritten font shop.liveoverflow.com (advertisement)
Checkout our courses on hextree.io (advertisement)
Support these videos: liveoverflow.com/support/
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
2nd Channel: / liveunderflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Streaming: twitch.tvLiveOverflow/
→ TikTok: / liveoverflow_
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
![eBPF: Unlocking the Kernel [OFFICIAL DOCUMENTARY]](http://i.ytimg.com/vi/Wb_vD3XZYOA/mqdefault.jpg)
"Yep, I regret not hacking xyz" is something I tell myself everytime i see a writeup on the internet for anything :(. If only there was a easy way to fix my laziness/procrastination
If u found a way pls let me know 😑
It's called don't be an idiot.
isn't that our biggest enemy ... our own procrastination
Amphetamines. Cocaine.
I'm kidding of course, these are at best short-term motivators. If you want to adopt a new behavior intentionally, one of the most important things is long-term motivation.
You need to think "If only I did X, I'd be a little closer to goal Y", where Y is a goal that you can reach by continuously working on X.
@@Maxjoker98Adderall, Xanax.
I'm not kidding tho.
Just kidding ha ha...!
Its always funny seeing some of the vulnerabilities in these bugbounties are so simple its baffling. "ah that would never work its so simple those engineers probably have 20 checks on it" Hindsight 2020 i guess after the fact
Obviously outsiders can’t comment on the work environment, but if I had to guess it’s like this.
1) Google wants a new feature
2) Timeline is really short or engineers take their sweet time to procrastinate then rush it out
3) Lacks proper checks and review
4) Goes to production
yeah i always hear what kind of amazing engineer you have to be to work at FAANG and I guess 100 PhDs will block everything I do.... then I see this
I think it's more likely just the fact that they are always trying to improve, and therefore always changing. The more you change, the more likely it is someone will make a mistake or two systems will interact in a way that will open one or the other up to a vulnerability that was formerly not possible.
That's why the Google Cloud hacking competition is brilliant - for about the cost of a single software engineer, Google gets thousands of talented individuals discovering weaknesses in their system, most of which a Google engineer can then fix in like 5 minutes.
It's also just that there's just *so much code* and *so many people* that things slip through easily.
its like puzzle
I think it is wonderful that Google is paying for third party research, made publicly available, not "just" bug hunting.
It's better to pay a few thousand for a bug to be responsibly disclosed then it be used maliciously and potentially cause millions in damage
@@mollthecoder Yep, that is true. If they don't pay, someone else will.
I don't think they are either bug hunting or doing user experience or anything on GCP because ITS AWFUL, that's why its cheaper than AWS or Azure
@@mollthecoder " potentially cause millions in damage" is anything serious using GCP ?
I'm very surprised. At least 2 of these bugs could have been found by using a very basic bad-string library on the APIs arguments.
As long as you see this fix as a swiss cheese slice
Love how all of the prizes are variations on 1337.
all Google bounties have 1,3 and 7 always
It would be an interesting video idea if you film the process of finding an actual vulnerability in something like Google cloud (if you actually manage to find one). Which you can release once the party has had time to fix it. It would give a more real world example of how you go about finding vulnerabilities that isn't just capture the flag.
I don't remember which videos specifically, but I'm 99% sure he's done almost exactly this
@@expandingsalad786 can you name me 1 video pls
Finding bug bounties at this level is like panning for gold.
Was exposed to Kubernetes Clusters in my work. I think, there is still unbelievably many bugs, we have no idea of. The more complex your cluster the higher the chance, that there is a misconfiguration. The juciest ones being at egress and ingress nodes (apart from the master node). Builing up your patience for it might be very fruitful! ;) And thank you of course for you insanely valuable content!
Proud of Yuval's incredible work and findings 🙌
I don't know if it's just me, but these prizes seem absurdly low for what they're worth. And also considering software engineers at google get salaries in the range of hundreds of thousands per year, the reward is like what, a few weeks of pay for one of their employees? The first two prizes are more "worth", but even those are low compared to their value. It makes you wonder how many people find such exploits and instead of turning them in they'd rather sell them on the black market.
This is just a bonus on top of the regular bounty reward ;)
@@LiveOverflow Yes, bonus to yearly 100 $
@@stewiegriffin6503 $100? Where did you get that number? Google paid an average of $11k per vulnerability of chrome. And they paid out 12 million this year. A few rewards even going for hundreds of thousands.
@@LiveOverflowhow big is "usual bouny reward"?
Google paid an average of $11k per vulnerability of chrome. With some going for hundreds of thousands. Even for software engineers that's not nothing. It's profitable people are building teams to find bugs, and Google paid out over 12 mill this year.
Now let's say you're a skilled software engineer, and you find a vulnerability. Would you rather take your chances on the black market, where you'd be breaking the law, risk losing your job, getting arrested, and have no guarantee of getting paid, or get paid a not insubstantial (if not massive) amount 100% legally.
I know what I'd pick.
This is so cool. I just recently discovered your channel and you are already in my top 3 favorites. You inspire me so much to keep learning new things and experimenting with new technologies.
One clarification, don't use the phrase "PODs or containers" because first they are not the same thing, and for a bit of extra knowledge, PODs can have multi-containers inside of them. Love your work, keep it up!
True but normally people referring to the other containers in a pod will be referring to a sidecar or init container.
I really enjoy watching your videos; they motivate me to keep studying.
Congratulations to all the winners!
The payout structure is a play on leet right? Didn't realize that was still a thing
Wow, great video! You should definitely try next year!
Great Ed Sheran teaching us about hackin
Really interesting, thanks for the upload.
Thanks for this nice content.
So surprised with Ssh key injection, is crazy.
Daaaamn if a team can win 4th to 2nd place does it mean there could be a team that would win all 7 places? (I know it's next to impossible, but I wonder what would it take)
Let's find out. When are you free?
It's not impossible
@@coldfire6869yeah you got the right attitude, In good at Social engineering :D
Think bigger : a whole company.
@@whannabi I'm dead ass serious, over here! I'm down AF! Y'all just lemme know what's up, we can link up then delete our post to ditch any evidence "Just in case there be lurker's" thank goodness for hiding in plain sight, it's a beautiful thing, truly it is.
You are great as always, thanks!
Hey man I love the work you do the breakdowns are incredible. Really loved the description of Sockpuppet and wondering if you’d do more with iOS/xnu. The FORCEDENTRY (Triangulation) vulnerability is very intriguing (zero click) and I’m still purposefully in the cross hairs on iOS 14.2. Would you please look into these CVE to see if there is a potential video for the channel and us viewers? RCE with no interaction from a user 😱
It’s so crazy hearing the theme tune for liveOverflow for ages and then realise it’s by Gunnar who I just saw with Puscifer! How crazy
"But, time issues can be solved with just, spending more time..."
-LiveOverFlow @ 20:27
Sorry for offtop but...from the security researcher perspective, what do you think about passkey?
I laughed a lot at every recap saying "We'll see if I regret" :D
That's fucking genius with the image drag n drop.. good lord.
love how all the prize money is variations of 1337
Is the entire video an advertisement? because the text stays in the top right corner the entire time
well the video was sponsored by Google. So I should probably clearly and transparently disclose that ;)
Can you make a video how dangerous extensions are (Browser, VSC)? I think its quite hard to find sources on that that are not like "its really dangerous" but yet everyone uses them.
Good video.
Good to see "Buğra" here, he's a teenager from Turkey, I saw his video on "Google Cloud OS Command injection" but didn't know he won the prize. Let the 'mdisec' community rise.
Hy I am from Pakistan and stuck in a question, I just want to know how x86-64 Architecture processor know what is the required privilege level of the instruction or what privilege required to execute fetched command or with what it should compares CPL when executing the command. I Hope you will understand my question and respond to architect security enthusiast like you. Thanks
i admit i tried the command shell last year but at the end i just didnt continue...damn....this year i proposed myself to learn more abour kernel windows, and stuff, but i think i must dedicate some time to google
What's up with the "Advertisement" hanging out at the top right corner for the entire duration of the video?
The entire video was paid for by Google, and google used it on their own page. So it kind of makes sense to declare it.
noice!
I might have found that last SSH problem by mistake when typing my username, but I was too busy to care.
why to ssh in the browser?
so gr8
We will see,,
*5 years later:*
We will see
I honestly think 100k is not enough for finding these bugs. consider how large google is.
This is just a bonus prize. Google paid 12 mill in bounties this year, Some going for hundreds of thousands.
Push!
Why does the video say `advertisement` in the top all through the video?
it's a sponsored video, so I want to transparently disclose this
@@LiveOverflow Oh ok that makes sense, thanks.
Hello there fellow VRP Hall of Famers! 😅
Although I don't think they label us as HoF anymore though.
Kudos to Google for doing this, and for the researchers for participating
LETSS GOO!
👋
i use it as a ide
Organisations, developers should learn from google :)
Google's product naming is so confusing. Is this Google Cloud as in Drive and Docs or Google Cloud as in GCP? And what is Google One and where did that suddenly come from??
Nowadays Baidu Servers
Daemon set trampolines...
Why is the 6th place prize money at 3:14 displayed as 13,373$ when it could have been much cooler as 13,337$?
Because 7th place was 13,337$ already
@@hansmuds6018 True. Should have been 13333.37$ to avoid this issue.
Sreeram KL ♥
fell victim of one of those oauth thing a long time ago
Please make bypass biometric security
Plastic surgery
Finger print scanners are easy and sometimes messy
gj u are first
This month I reported 2 bugs in Google products, both were Triaged, 1. P4 to P3 2. P2 . But they came with final result that, they want some serious impact on that..still working on those and one more I reported few days ago which sleep SQLI injection.. hope this one will get Triaged and will get my reward 😢 also had one bug which was Triaged, more than 2 months ago in Microsoft, they are taking so much time.
Leet bounties.
Google should write more code in rust. 😂
5:20 wtf. Literally.
I was always wary of cloud console from the day i used it and keep telling myself how many bugs that would have.
You know that weaknesses under the hood but nevertheless you use it because it is convenient and lazy.
What socked me is how secure SLDC practices, pentests etc can not find such major holes
why do pentesters have the most random accounts?
Anonymous
@@nkazimulojudgement3583 why would white hat be anon
130k for god knows who much time, is a bad pay. A good security engineer who goes freelance will turn that over in a year, here in NL and D. And unlike bug bounties this income js a continuous income source.
The winner did this work as an employee at paloaltonetworks. So this is just an extremely juicy bonus ;)
@@LiveOverflow then it’s nice yeah 😄Until Der Steuerambt drops by I heard that in Germany it’s also as bad as here in NL these days. With the governments basically stealing income from its citizens without proper representation. 😏
This is just a bonus prize. Google paid 12 mill in bounties this year, Some going for hundreds of thousands. So that top prize probably made them 800-900k.
@@AGryphonTamer my point is that it’s not a guaranteed income and also pays relatively poorly. You can hunt for months and only land 17k. Where’s of your are that good in security work and you do hire yourself out you’ll earn that guaranteed in a month. If you do it as a hobby next to your job it’s okay. But I’ve heard of kids trying to do this to pay for college. Than it’s a poor investment of your time.
FYI These are just bonus prizes. Google pays hundreds of thousands for top bounties, this is just extra.
Can you do a video on deleting Google drive. This guy I used to date keeps gaining access to my computer and phone and I can't get help bc he's an expert. The police literally don't do anything because they don't understand... Please post a video on this.
Makes me wanna take out KCAD away from my resume.
I was SOOOO MF CLOSE!!! SOO FLIPPING CLOSE!!!!!!!!!! Meh :|
Ohh what? Tell me more!
o.O
Feels weird seeing such high payouts for the kind of stuff I find at work on a weekly basis
Doubt it
@@fr5229 not the last one, not without a team. Most of these bugs are quite simple all things considered, very reminiscent of stuff I find at my day job.
Finding the same bug at Google is a different thing than any random xyz target.
@@sudhanshurajbhar9635 Did you even watch the video?
Honestly, I didnt understand so many things in this video. This gives me Imposter Syndrome. I should develop myself!
I work for big tech and I knowingly introduce zero day exploits.
😱
I dont know how i would owe $100
why are those prizes all weird numbers? lol
Google likes thier 1, 3 and 7
regarding small rewards, I would rename the contest to "Google's annual intellectual prostitution awards".
let us hold a minute's silence for the 7 poor people who lost their jobs
*Promo sm*
Thankfully, you didn't participate; otherwise, no one will have won.
Wanna get off google cloud.. Can you do a video explanation on how you can make the copy of your data that they send back to its original file type?
First
not
Russian
That's the problem with IT today. People will do anything for few dollar or little bit fame.
Real businessman would never give this info for free or cheap.
Sprichts du Deutsch...?
that thumbnail is garbage, this videos was easily a 200k view one with a better thumbnail
Make me one pls
I am certain with his knowledge, LiveOverflow could get a job paying the equivalent of $133k. It seems he does not and chose a job that brings him more joy. I respect that
How can you hate kubernetes. It's just awesome :D
So now Ed Sheeran is a tech expert?
I just got a motivation that if a google can have basic issues, i can find them too in hackerone programs. :( ultimately i struggle to focus because i just want a quick win :(