Google Bug Bounty

Friday, 9 December 2016

We’re taking a break from our series on Secure Continuous Delivery to talk about the Google Bug Bounty. Although we’re not actually talking about Google’s Bug Bounty program… instead we’re talking about what appears to be an attempt to exploit people that are searching for it.

If you search for google bug bounty using Google, take a close look at the first result. This is not an advert or sponsored link. What we’d normally expect to find is Google ranking number one on their own search engine when you run this search, but instead we see them in second position behind a dodgy looking result.

Let’s deconstruct this a bit:

The URL

You’ll notice the URL for our search result is https://www--google--com.safenup.googleusercontent.com/about/appsecurity/reward-program/ which is clearly designed to fool people into thinking it’s a legitimate Google page. It even includes the same path info as the legitimate https://static.googleusercontent.com/about/appsecurity/programs-home/ page.

This is a common technique used that used elsewhere in social engineering.

To be honest, it’s surprising Google publish the legitimate content under the googleusercontent.com domain. This feels very much like something that belongs under google.com.

The page

On loading the page, you get a nice blank page and nothing seems to happen. Really? Why did the page not show anything? Must’ve been a mistake. Let’s try another search result. But wait? What’s the actual page content - not the rendered content. I’ve taken a copy of the content and put it in this Gist if you want to take a look.

On quick inspection, we see a bunch of obfuscated JavaScript that doesn’t look consistent with what Google normally produce. In fact, it’s obvious that this code is deliberately contrived to make it hard to understand. For example, we find a bunch of nested function calls that are essentially just complicated ways of constructed strings from other data, invoking postMessage, generating HTML in the most convoluted ways, and many other bizarre things that you would never expect from a legitimate site.

It’s quite clear someone is trying to do something wrong and trying to make it hard for you to know exactly what they’re doing.

If you open the page in your browser (I’d suggest using incongnito mode or using a clean browser installation) you see this error message in the console:

On further investigation

The “safenup” bit gives me a clue as to where to look next. A sure enough, a quick search discovers this Chromium bug report from May 2015 which includes a comment saying:

the issue is whether the child frame can cross a security boundary and affect the parent. It can’t do that; the only thing it can do here is replace the parent. But then the user can see the new URL, so the child frame can’t hide what it is doing.

So this apparently isn’t an issue to be fixed.

But it makes me wonder whether someone (not necessarily the person that raised the original bug report) is using this as a starting point for building their own exploit and using it to target the Google Bug Bounty program.

Disclosure

This issue was disclosed to Google, but seeing as it is in public search results I thought it best to publish this to make others aware of the issue. Hopefully Google can remove the search result and investigate why it ranked above the genuine page. There’s a concern that if this can happen to Google’s own content, what hope do other organisations have of ensuring that malicious content (successful or otherwise) doesn’t outrank them in Google search.