Two fairly young Swedes behind the security startup Detectify (more on that later) set out one night with a goal of hacking Google. Finding potentially compromising exploits are their day job, and just for fun they wanted to see if they could get some of that hot bug bounty that large companies pay out if you find potentially compromising bugs in their code. The logic for a company like Google is that if they pay hackers, then they don't have the incentive to take advantage of the exploit themselves or sell it on the black market.
"The whole hack started off when we decided to give it a go at hacking Google one night, and we wanted to try to hack one of these companies that offered a bounty. We wanted to see if we could hack google by using their own search engine," says Fredrik Nordberg Almroth, cofounder of Detectify tells us.
They started out googling for older Google products - which were unlikely to be maintained and might be broken in interesting ways. As they write on their blog,
One system caught our eyes. The Google Toolbar button gallery. We looked at each other and jokingly said “this looks vuln!”, not knowing how right we were.
Not two minutes later we noticed that the gallery provides users with the ability to customize their toolbar with new buttons. If you’re a developer, you’re also able to create your own buttons by uploading XML files containing various meta data (styling and such).
Fredrik read through the API specifications, and crafted his own button containing fishy XML entities. The plan was to conduct an XXE attack as he noticed the title and description fields were printed out when searching for the buttons.
Their plan worked, and they were able to upload their files into Google's production server with read access to the /etc/passwd and /etc/hosts of one of Google's production servers. "We could just as well have tried to access any other file on their server, or moved on to SSRF exploitation in order to access internal systems. To say the least, that’s pretty bad," they explain on the blog.
"The first reply came within minutes, and said "woah, we should get back to you" said Almroth. Their bug ended up paying them $10,000, which they say they're going to use for a roadtrip across Europe this summer.
If all of this sounds foreign to you and you run a website, then you should check out their service, Detectify. They offer a website scanning tool that will test 100+ attack vectors that should get your website security sorted out.
"Everything as far as websites go is broken in one or many more ways. All the available ways of fixing this is too complicated, so we wanted to create a service that normal people could use to get an overview of what security issues are on the website," says cofounder Mathias Karlsson.
With Detectify they're going for mass appeal in an easy-to-use format. The way it works is you plug in your website, verify ownership, and start scanning without any downloads needed.
What's interesting is the payment model Detectify have taken. They've played around with a flat-rate fee, recurring payments for scans (like an Antivirus), and other models. Right now they've stuck with a "pay what you want" method where you name whatever price you think the scan is worth after you see the results.
So far it's bringing in some money, but not enough really to support the team. Their problem is that users don't know what they're paying for if they're charged before the scan - and additionally if you're paying up front and your security is up-to-par, then you feel like you're getting nothing out of it. Right now the team is considering the "pay what you want" method to gather data during their scans, and to see what price points people are using.
Until they figure out the price point, they've got the Google bounty to keep them going.