> You don't need to treat me like the bad guy when I'm clearly not exploiting you.
I'm not seeing where Google treated him like a "bad guy"? It sounds like he was expecting Google to sing his high praises, which of course didn't happen. The bug bounty payout also has qualifications that the author didn't come remotely close to meeting ( http://www.google.com/about/appsecurity/reward-program/ ), so I have no idea why he expected he should get paid.
By his own admission he doesn't know how the attacker got access to his account, nor where the $20k came from. So what vulnerability did he find? I guess Google's failure here was to protect the author from his own lax security.
I failed to follow how author introduced "attacker" to this story, when there are no visible suggestions, only his own old credit cards on file, to which he didn't incur any charges and all that must have happened due to routing mistake crediting someone's funds to his account. Something which must have been rectified very quickly even without author noticing.
Obviously someone has an exploit of adwords that can add credits to accounts without paying for it, and it appears to involve closing and re-opening accounts with expired credit cards.
This point is so obvious that he doesn't bother explaining any further. There was a billing mistake in his account, so therefore there must be an exploit of some kind.
There are other explanations for a billing mistake, but apparently they don't bother consideration.
I disagree with some people here. If this _was_ an exploit that had an attacker (as opposed to the various other explanations people are putting forward) then reporting it to Google is obviously valuable to them, even if he is unaware of how to replicate the exploit. He would
a) make them aware of the problem
b) give them enough of a start to work out what is happening.
So I'd suggest it is worthy of being rewarded if not by the exact rules of the program, at least by the spirit of it.
However, I seriously doubt this is really what happened - he makes a lot of leaps without any corroborating evidence. I am very sure this isn't Google trying to 'screw' the guy.
I had a little trouble following that. Are you sure the bug you reported is actually related to the $20,000 credit and not just a separate UI issue?
I'd be very surprised if allowing you to log in with an expired card somehow also allowed you to make unlimited successful payments against that expired card. It just doesn't really make sense. Seems like there is perhaps another bug or something else altogether that is responsible for the $20,000.
Allowing purchases with an expired credit card isn't really a bug, it's sometimes a "feature". If it was valid when the credit card was added to the account, and if a payment were made from it before it expired, it could have subsequently been labelled as a recurring payment, and then the credit card companies will often allow payments to go through, even after it expired.
> and then the credit card companies will often allow payments to go through, even after it expired.
False. The credit card companies will let the payment through based on the number alone as long as you present an expiry date in the future. But it's illegal to continue to charge past the expiry date of the card for recurring payments after the date that was entered when the subscription started, and you're not allowed to change that expiry date yourself without the customer presenting the card again, with the new expiry date. (It's really easy to guess though, just set it 5 years into the future and that's a pretty good stab at getting it right).
The reason why it works is because you'll get a new card, with a new expiry but with the old number. Still, doing this is against the TOS. Easy to do, not proper and very very bad form towards the customer and the card company.
Stuff like this can cost you your merchant account if a customer decides to take it as far as they can. You are not just making charges on behalf of the customer here, this is a form of fraud by the merchant.
Guy had no idea what the attack -- if any -- was. All he noticed was odd activity on his account, which as easily could have been human error at Google.
However as to his point that this is a massive imperilment of Google : Not really. Google ads run on a bid system, so introducing fake money doesn't actually reduce the amount of money Google actually makes, and may actually increase it. I get $100+ AdWord credit offers from Google literally monthly, because the effect of my credit is only that I push up the cost for everyone else. Obviously there are limits to this (when advertisers simply bow up) but unless the fraud was really widespread it wouldn't damage Google.
It would be interesting to see statistics on exploits sold in the black market lately, since it seems like these companies (Facebook, Google) are doing a thoroughly good job at pushing independent researchers to do just that. I'm aware that the linked author wasn't a security researcher intentionally uncovering a flaw, but the outcome still sends a similar message.
Such numbers are really hard to come by (or disclose publicly).
I can tell you that Google exploits on the black market are basically worthless unless 1) it allows Gmail read/send access or 2) facilitates emptying stolen cards in some way.
For other types of exploits (a Facebook login bypass, or Windows RCE for example) are far more useful and the black market community really can't come up with the funds to compete with corporate or government buyers.
[+] [-] kllrnohj|12 years ago|reply
I'm not seeing where Google treated him like a "bad guy"? It sounds like he was expecting Google to sing his high praises, which of course didn't happen. The bug bounty payout also has qualifications that the author didn't come remotely close to meeting ( http://www.google.com/about/appsecurity/reward-program/ ), so I have no idea why he expected he should get paid.
By his own admission he doesn't know how the attacker got access to his account, nor where the $20k came from. So what vulnerability did he find? I guess Google's failure here was to protect the author from his own lax security.
[+] [-] vizzah|12 years ago|reply
[+] [-] rgbrenner|12 years ago|reply
This point is so obvious that he doesn't bother explaining any further. There was a billing mistake in his account, so therefore there must be an exploit of some kind.
There are other explanations for a billing mistake, but apparently they don't bother consideration.
[+] [-] TomAnthony|12 years ago|reply
a) make them aware of the problem b) give them enough of a start to work out what is happening.
So I'd suggest it is worthy of being rewarded if not by the exact rules of the program, at least by the spirit of it.
However, I seriously doubt this is really what happened - he makes a lot of leaps without any corroborating evidence. I am very sure this isn't Google trying to 'screw' the guy.
[+] [-] pastylegs|12 years ago|reply
[+] [-] rgbrenner|12 years ago|reply
[+] [-] sambe|12 years ago|reply
[+] [-] droopybuns|12 years ago|reply
Can we please downvote this into oblivion? This guy thinks "Reporting a vulerability" is synonymous with reporting that his account was hacked.
Vulnerability rewards programs incentivize security researchers to properly disclose new attack techniques.
They do not exist to reward the reporting of account compromises.
r-shirt, why would this be useful to the hackernews community?
[+] [-] eli|12 years ago|reply
I'd be very surprised if allowing you to log in with an expired card somehow also allowed you to make unlimited successful payments against that expired card. It just doesn't really make sense. Seems like there is perhaps another bug or something else altogether that is responsible for the $20,000.
[+] [-] steven2012|12 years ago|reply
[+] [-] jacquesm|12 years ago|reply
False. The credit card companies will let the payment through based on the number alone as long as you present an expiry date in the future. But it's illegal to continue to charge past the expiry date of the card for recurring payments after the date that was entered when the subscription started, and you're not allowed to change that expiry date yourself without the customer presenting the card again, with the new expiry date. (It's really easy to guess though, just set it 5 years into the future and that's a pretty good stab at getting it right).
The reason why it works is because you'll get a new card, with a new expiry but with the old number. Still, doing this is against the TOS. Easy to do, not proper and very very bad form towards the customer and the card company.
Stuff like this can cost you your merchant account if a customer decides to take it as far as they can. You are not just making charges on behalf of the customer here, this is a form of fraud by the merchant.
[+] [-] corresation|12 years ago|reply
However as to his point that this is a massive imperilment of Google : Not really. Google ads run on a bid system, so introducing fake money doesn't actually reduce the amount of money Google actually makes, and may actually increase it. I get $100+ AdWord credit offers from Google literally monthly, because the effect of my credit is only that I push up the cost for everyone else. Obviously there are limits to this (when advertisers simply bow up) but unless the fraud was really widespread it wouldn't damage Google.
[+] [-] antsar|12 years ago|reply
[+] [-] dsl|12 years ago|reply
I can tell you that Google exploits on the black market are basically worthless unless 1) it allows Gmail read/send access or 2) facilitates emptying stolen cards in some way.
For other types of exploits (a Facebook login bypass, or Windows RCE for example) are far more useful and the black market community really can't come up with the funds to compete with corporate or government buyers.
[+] [-] cantbecool|12 years ago|reply