The student, Ezequiel Pereira, said he was searching for bugs in the platform July 11 because he was “bored.” During his search, he reportedly found a method to change the Host Header in requests to App Engine without authorization.
Using Burp, a security testing suite, Mr. Pereira found one website — yaqs.googleplex.com — allowed him unauthenticated access to the server without checking his credentials. It redirected him to an internal Google website with a note that read “Google Confidential.”
He reported the issue to Google, which awarded him $10,000 after learning there were variants of the bug that would have allowed an attacker to access sensitive data.
More articles on health IT:
IBM Watson to analyze 911 calls
NIST updates password guidelines: Mix of characters ‘not nearly as significant as initially thought’
6 thoughts on population health with Allscripts Analytics CMO Dr. Fatima Paruk
