The latest recipient is an 18-year-old student from Uruguay’s University of the Republic who didn’t realize the severity of the problem. The remote code execution bug was found in the Google App Engine and has since been fixed. In late February, Ezequiel Pereira López gained access to the ‘Stubby’ API and a filed an initial report. By March 4, he’d gained access to the app config service and was able to use internal APIs. He able to change internal settings, his app’s Service Account ID, and set it as a ‘Super App’.
‘Stop Exploring Further’
After reporting this development to Google, the severity of his case was immediately raised and it was CC’d to several employees. He was told to “stop exploring this further, as it seems that you could easily break something using these internal APIs”. It was a surprise when, a few days later, Google sent out an automated response. The researcher was unaware that his bug was considered remote code execution. As well as the $31,337 for RCE bugs, there was an additional $5,000 for a lesser bug. However, though López received more than he expected, it’s clear it wasn’t dumb luck. He has previously discovered bugs to the tune of $500, $5,000, and $7,500, and $10,000. In 2015, he was a Google Code-in grand prize winner and paid a visit to the company’s headquarters. You can find his blog here for a full write up.