A list of writeups from the Google VRP Bug Bounty program
*writeups: not just writeups
Contributing:
If you know of any writeups/videos not listed in this repository, feel free to open a Pull Request.
To add a new writeup, simply add a new line to writeups.csv:
[YYYY-MM-DD],[bounty],[title],[url],[author-name],[author-url],[type],false,?
If a value is not available, write ?.
The value of type can either be blog or video.
If any of the fields include a ,, please wrap the value in quotes.
Please keep the last two fields set to false and ?. The automation will modify these fields.
If available, set author-url to the author’s Twitter URL, so the automation can @mention the author.
Blog posts:
2021:
- [Sep 28 – $???] Google Extensible Service Proxy v1 – CWE-287 Improper Authentication* by Imre Rad
- [Aug 24 – $???] The Nomulus rift* by Imre Rad
- [Aug 23 – $???] Hey Google ! – Delete my Data Properly — #GoogleVRP* by Sriram Kesavan
- [Jun 25 – $???] Google Compute Engine (GCE) VM takeover via DHCP flood* by Imre Rad
- [Jun 16 – $???] Story of Google Hall of Fame and Private program bounty worth $$$$* by Basavaraj Banakar
- [Jun 13 – $3,133.7] Privilege escalation on https://dialogflow.cloud.google.com* by lalka
- [Jun 09 – $500] Author spoofing in Google Colaboratory* by Zohar Shacha
- [May 31 – $10,000] AppCache’s forgotten tales* by Luan Herrera
- [May 17 – $???] Clickjacking in Nearby Devices Dashboard* by David Schütz
- [May 16 – $5,000] Auth Bypass in https://nearbydevices-pa.googleapis.com* by David Schütz
- [May 05 – $???] How I Hacked Google App Engine: Anatomy of a Java Bytecode Exploit* by Robert Grosse
- [Apr 29 – $???] De-anonymising Anonymous Animals in Google Workspace* by David Schütz
- [Apr 21 – $???] IDOR leads to how many likes that was hidden | Youtube* by R Ando
- [Apr 20 – $???] Auth Bypass in Google Workspace Real Time Collaboration* by David Schütz
- [Apr 13 – $1,337] Google Photos : Theft of Database & Arbitrary Files Android Vulnerability* by Rahul Kankrale
- [Apr 05 – $6,000] I Built a TV That Plays All of Your Private YouTube Videos* by David Schütz
- [Apr 02 – $100] Play a game, get Subscribed to my channel – YouTube Clickjacking Bug* by Sriram Kesavan
- [Mar 21 – $???] How I made it to Google HOF?* by Sudhanshu Rajbhar
- [Mar 11 – $3,133.7] How I Get Blind XSS At Google With Dork (First Bounty and HOF )* by Rio Mulyadi Pulungan
- [Mar 08 – $0] Google VRP N/A: SSRF Bypass with Quadzero in Google Cloud Monitoring* by Omar Espino
- [Feb 28 – $???] Metadata service MITM allows root privilege escalation (EKS / GKE)* by Etienne Champetier
- [Feb 16 – $0] Dropping a shell in Google’s Cloud SQL (the speckle-umbrella story)* by Imre Rad
- [Jan 27 – $???] Hijacking Google Drive Files (documents, photo & video) through Google Docs Sharing* by santuySec
- [Jan 18 – $1,337] The Embedded YouTube Player Told Me What You Were Watching (and more)* by David Schütz
- [Jan 11 – $5,000] Stealing Your Private YouTube Videos, One Frame at a Time* by David Schütz
- [Jan 08 – $3,133.7] Blind XSS in Google Analytics Admin Panel — $3133.70* by Ashish Dhone
2020:
- [Dec 30 – $???] Getting my first Google VRP trophies* by Imre Rad
- [Dec 27 – $???] Google VRP Hijacking Google Docs Screenshots* by Sreeram KL
- [Dec 22 – $0] SSTI in Google Maps* by Zohar Shacha
- [Dec 21 – $0] remote code execution when open a project in android studio that google refused to fix* by houjingyi
- [Dec 19 – $0] Google VRP – Sandboxed RCE as root on Apigee API proxies* by Omar Espino
- [Nov 12 – $31,337] 31k$ SSRF in Google Cloud Monitoring led to metadata exposure* by David Nechuta
- [Oct 27 – $6,337] The YouTube bug that allowed unlisted uploads to any channel* by Ryan Kovatch
- [Oct 26 – $0] Deciphering Google’s mysterious ‘batchexecute’ system* by Ryan Kovatch
- [Oct 08 – $30,000] The mass CSRFing of *.google.com/* products.* by Missoum Said
- [Oct 01 – $5,000] Google bug bounty: XSS to Cloud Shell instance takeover (RCE as root) – $5,000 USD* by Omar Espino
- [Sep 29 – $???] Public Bucket Allowed Access to Images on Upcoming Google Cloud Blog Posts* by Thomas Orlita
- [Sep 20 – $500] How I earned $500 from Google – Flaw in Authentication* by Hemant Patidar
- [Sep 08 – $10,000] XSS->Fix->Bypass: 10000$ bounty in Google Maps* by Zohar Shacha
- [Sep 07 – $1,337] My first bug in google and how i got CSRF token for victim account rather than bypass it* by Oday Alhalbe
- [Aug 26 – $???] Auth bypass: Leaking Google Cloud service accounts and projects* by Ezequiel Pereira
- [Aug 25 – $1,337] How I Tracked Your Mother: Tracking Waze drivers using UI elements* by Peter Gasper
- [Aug 22 – $???] The Short tale of two bugs on Google Cloud Product— Google VRP (Resolved)* by Sriram Kesavan
- [Aug 19 – $???] The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer* by Allison Husain
- [Aug 18 – $???] How to contact Google SRE: Dropping a shell in Cloud SQL* by Ezequiel Pereira
- [Aug 18 – $???] Three More Google Cloud Shell Bugs Explained* by David Dworken
- [Aug 15 – $???] How I was able to send Authentic Emails as others – Google VRP (Resolved)* by Sriram Kesavan
- [Jul 28 – $1,337] Authorization bypass in Google’s ticketing system (Google-GUTS)* by Zohar Shacha
- [Jul 17 – $5,000] Idor in google product* by baluz
- [Jun 15 – $3,133.7] SMTP Injection in Gsuite* by Zohar Shacha
- [Jun 06 – $500] How i earned $500 from google by change one character .* by Oday Alhalbe
- [Jun 04 – $???] Privilege Escalation in Google Cloud Platform’s OS Login* by Chris Moberly
- [May 21 – $31,337] RCE in Google Cloud Deployment Manager* by Ezequiel Pereira
- [May 10 – $???] Bypassing Firebase authorization to create custom goo.gl subdomains* by Thomas Orlita
- [May 08 – $4,133.7] Bypass XSS filter using HTML Escape* by Syahri Ramadan
- [May 07 – $3,133.7] DOM-Based XSS at accounts.google.com by Google Voice Extension* by Missoum Said
- [May 07 – $???] Google Acquisition XSS (Apigee)* by TnMch
- [May 03 – $???] DOM XSS in Gmail with a little help from Chrome* by Enguerran Gillier
- [Apr 30 – $6,267.4] Researching Polymorphic Images for XSS on Google Scholar* by Lorenzo Stella
- [Mar 27 – $3,133.7] $3133.7 Google Bug Bounty Writeup- XSS Vulnerability!* by Pethuraj M
- [Mar 08 – $6,000] The unexpected Google wide domain check bypass* by David Schütz
- [Mar 07 – $5,000] Google Ads Self-XSS & Html Injection $5000* by Syahri Ramadan
- [Jan 12 – $???] Information Disclosure Vulnerability in the Google Cloud Speech-to-Text API* by Dan Maas
2019:
- [Dec 30 – $3,133.7] How did I earn $3133.70 from Google Translator? (XSS)* by Beri Bey
- [Dec 19 – $???] SSRF in Google Cloud Platform StackDriver* by Ron Chan
- [Dec 16 – $???] 4 Google Cloud Shell bugs explained* by Wouter ter Maat
- [Dec 15 – $5,000] The File uploading CSRF in Google Cloud Shell Editor* by Obmi
- [Dec 15 – $5,000] The oauth token hijacking in Google Cloud Shell Editor* by Obmi
- [Dec 15 – $5,000] The XSS ( type II ) in Google Cloud Shell Editor* by Obmi
- [Nov 29 – $1,337] Writeup for the 2019 Google Cloud Platform VRP Prize!* by Missoum Said
- [Nov 18 – $???] XSS in GMail’s AMP4Email via DOM Clobbering* by Michał Bentkowski
- [Sep 09 – $???] Combination of techniques lead to DOM Based XSS in Google* by Sasi Levi
- [Aug 31 – $36,337] $36k Google App Engine RCE* by Ezequiel Pereira
- [Jul 20 – $13,337] Into the Borg – SSRF inside Google production network* by Enguerran Gillier
- [Jul 10 – $???] Gsuite Hangouts Chat 5k IDOR* by Cameron Vincent
- [May 21 – $13,337] Google Bug Bounty: LFI on Production Servers in “springboard.google.com” – $13,337 USD* by Omar Espino
- [Mar 29 – $0] Inserting arbitrary files into anyone’s Google Earth Projects Archive* by Thomas Orlita
- [Mar 26 – $3,133.7] How I could have hijacked a victim’s YouTube notifications!* by Yash Sodha
- [Feb 12 – $???] Hacking YouTube for #fun and #profit* by Alexandru Coltuneac
- [Jan 31 – $???] LFI in Apigee portals* by Wouter ter Maat
- [Jan 30 – $7,500] $7.5k Google Cloud Platform organization issue* by Ezequiel Pereira
- [Jan 25 – $3,133.7] How I abused 2FA to maintain persistence after a password change (Google, Microsoft, Instagram, Cloudflare, etc)* by Luke Berner
- [Jan 18 – $10,000] $10k host header* by Ezequiel Pereira
2018:
- [Dec 12 – $???] XSSing Google Code-in thanks to improperly escaped JSON data* by Thomas Orlita
- [Dec 11 – $???] Clickjacking DOM XSS on Google.org* by Thomas Orlita
- [Dec 05 – $500] Billion Laugh Attack in https://sites.google.com* by Antonio Sanso
- [Nov 25 – $???] XSS in Google’s Acquisition* by Abartan Dhakal
- [Nov 19 – $???] XS-Searching Google’s bug tracker to find out vulnerable source code* by Luan Herrera
- [Nov 11 – $7,500] Clickjacking on Google MyAccount Worth 7,500$* by Apapedulimu
- [Oct 04 – $???] GoogleMeetRoulette: Joining random meetings* by Martin Vigo
- [Sep 05 – $???] Reflected XSS in Google Code Jam* by Thomas Orlita
- [Aug 22 – $???] Liking GitHub repositories on behalf of other users — Stored XSS in WebComponents.org* by Thomas Orlita
- [May 25 – $???] Waze remote vulnerabilities* by PanguTeam
- [Mar 31 – $5,000] $5k Service dependencies* by Ezequiel Pereira
- [Mar 28 – $???] Stored XSS on biz.waze.com* by Rojan Rijal
- [Mar 07 – $13,337] Stored XSS, and SSRF in Google using the Dataset Publishing Language* by Craig Arendt
- [Feb 24 – $13,337] Bypassing Google’s authentication to access their Internal Admin panels* by Vishnu Prasad P G
- [Feb 19 – $???] Google bugs stories and the shiny pixelbook* by Missoum Said
- [Feb 14 – $7,500] $7.5k Google services mix-up* by Ezequiel Pereira
2017:
- [Oct 30 – $15,600] How I hacked Google’s bug tracking system itself for $15,600 in bounties* by Alex Birsan
- [Mar 09 – $5,000] How I found a $5,000 Google Maps XSS (by fiddling with Protobuf)* by Marin Moulinier
- [Mar 01 – $???] Ok Google, Give Me All Your Internal DNS Information!* by Julien Ahrens
- [Feb 26 – $3,133.7] Exploiting Clickjacking Vulnerability To Steal User Cookies* by Jasminder Pal Singh
- [Jan 04 – $???] fastboot oem sha1sum* by Roee Hay
2016:
- [Aug 26 – $500] $500 getClass* by Ezequiel Pereira
- [Feb 28 – $???] Stored, Reflected and DOM XSS in Google for Work Connect (GWC)* by Ashar Javed
2015:
- [Dec 08 – $???] Creative bug which result Stored XSS on m.youtube.com* by Sasi Levi
- [Oct 29 – $???] XSS in YouTube Gaming* by Ashar Javed
- [Jun 26 – $3,133.7] Youtube Editor XSS Vulnerability* by Jasminder Pal Singh
2014:
- [Oct 31 – $5,000] The 5000$ Google XSS* by Patrik Fehrenbach
- [Oct 26 – $1,337] Youtube XSS Vulnerability (Stored -> Self Executed)* by Jasminder Pal Singh
- [Aug 13 – $???] I hate you, so I pawn your Google Open Gallery* by Ahmad Ashraff
- [Jan 10 – $???] Again, from Nay to Yay in Google Vulnerability Reward Program!* by Ahmad Ashraff
2013:
- [Sep 15 – $3,133.7] XSRF and Cookie manipulation on google.com* by Michele Spagnuolo
- [Jul 08 – $???] Stored XSS in GMail* by Michele Spagnuolo
Unknown Date:
- [??? – $5,000] Google VRP : oAuth token stealing* by Harsh Jaiswal
- [??? – $???] Unauth meetings access* by Rojan Rijal
- [??? – $???] XSS vulnerability in Google Cloud Shell’s code editor through mini-browser endpoint* by Psi
- [??? – $???] Information leakage vulnerability in Google Cloud Shell’s proxy service* by Psi
- [??? – $???] XSS vulnerability in Google Cloud Shell’s code editor through SVG files* by Psi
- [??? – $???] CSWSH vulnerability in Google Cloud Shell’s code editor* by Psi
- [??? – $3,133.7] Open redirects that matter* by Tomasz Bojarski
- [??? – $???] Voice Squatting & Voice Masquerading Attack against Amazon Alexa and Google Home Actions* by ???
- [??? – $???] Blind XSS against a Googler* by Rojan Rijal
- [??? – $???] Multiple XSSs on hire.withgoogle.com* by Rojan Rijal
- [??? – $???] Auth Issues on hire.withgoogle.com* by Rojan Rijal
- [??? – $???] G Suite – Device Management XSS* by Rojan Rijal
Videos:
2021:
- [Apr 09 – $31,337] Explaining the exploit to $31,337 Google Cloud blind SSRF* by Bug Bounty Reports Explained
- [Apr 06 – $31,337] $31,337 Google Cloud blind SSRF + HANDS-ON labs* by Bug Bounty Reports Explained
- [Mar 17 – $165,174] Hacking into Google’s Network for $133,337* by LiveOverflow
- [Mar 08 – $5,000] $5,000 YouTube IDOR* by Bug Bounty Reports Explained
- [Jan 31 – $5,000] Hacking YouTube to watch private videos?* by Tech Raj
- [Jan 25 – $5,000] This YouTube Backend API Leaks Private Videos* by Hussein Nasser
2020:
- [Jul 31 – $4,133.7] Script Gadgets! Google Docs XSS Vulnerability Walkthrough* by LiveOverflow
- [Mar 11 – $100,000] $100k Hacking Prize – Security Bugs in Google Cloud Platform* by LiveOverflow
2019:
- [Dec 09 – $???] BlackAlps 2019: Google Bug Hunters* by Eduardo Vela Nava
- [Oct 01 – $5,000] Google Paid Me to Talk About a Security Issue!* by LiveOverflow
- [Apr 23 – $???] Best Of Google VRP 2018 | nullcon Goa 2019* by Daniel Stelter-Gliese
- [Mar 31 – $???] XSS on Google Search – Sanitizing HTML in The Client?* by LiveOverflow
2018:
- [Nov 14 – $58,837] Google Cloud Platform vulnerabilities – BugSWAT* by Ezequiel Pereira
2017:
- [Jun 21 – $???] nullcon Goa 2017 – Great Bugs In Google VRP In 2016* by Martin Straka and Karshan Sharma
- [Jun 08 – $???] RuhrSec 2017: Secrets of the Google Vulnerability Reward Program* by Krzysztof Kotowicz
2016:
- [Nov 29 – $???] War Stories from Google’s Vulnerability Reward Program* by Gábor Molnár