Last year was another record year for Google's Vulnerability Reward Programs (VRP). Thanks to the program, Google, together with its community, has identified and fixed thousands of vulnerabilities. Last but not least, the security of the Google Cloud Platform (GCP) was improved.
Google first announced the GCP VRP Prize in 2019 to encourage security researchers to help further increase the security of the Google Cloud. The hyperscaler has been happy about numerous submissions in the last 3 years. After careful evaluation, the winners for 2021
have now been announced.
We are very proud that Sebastian Lutz, Team Lead of our Google Cloud Infrastructure Team, took first place here.
Google writes:
Sebastian's excellent report details how he found a flaw in the Identity-Aware Proxy (IAP) that an attacker could have exploited to gain access to a user's IAP-protected resources by tricking them into visiting an attacker-controlled URL and stealing their IAP auth token.
We congratulate Sebastian on first place and his excellent work.
More information about Sebastian's submission and the other placements of the Vulnerability Reward Program can be found in this video.
We recommend Sebastian's winning entry to anyone who is also interested in the technical background: Bypassing Identity-Aware Proxy