google has a lot of pros and a lot of cons. but from my view point, it has way more pros than cons. Google likes to remember they were built by engineers and the only way to win is to get engineers on your side
@@pvic6959 i agree with your comment, especially google's policy of the 80/20 rule where 1/5th of the time employees can pursue their own ideas and self organize. However, I was severely disappointed when they officially changed their company moto away from "Don't be evil" [The original motto was retained in Google's code of conduct, now a subsidiary of Alphabet. In April 2018, the motto was removed from the code of conduct's preface and retained in its last sentence.] If that wasn't a warning sign I am a platypus.
@@TheOrganicartist I agree with you as well and am deeply disappointed too. i personally know a few googlers and they were very upset by that as well and there was internal uproar. but from what they say, their teams and leads carry on as if that is still the motto. of course, i cant say for sure but i have no reason to distrust them I think its not part of Alphabets moto but it is still part of googles or something
@@subverter1.188 there is a theory about that, dumb people thought they were smarter than they were and smarter people thought they were dumber than they actually we're
the more you learn the more you know you are not an expert. It is a weird feeling. You start something new and be like: I will be an expert in this. Then you dig deeper and realize that you are a total noob. And then comes a moment when you can answer somebody else a question to that topic and you feel like: Hey i am not a total noob anymore. It is such a good feeling to help others with something you achieved with hard work. And maybe some day they can help you too.
Im from Uruguay, as soon as a heard my country's name i was shocked. Most people dont even know where Uruguay is, but we got this boy killing it rn hahahaha
Maybe it's just me, but I would love it if you could possibly make a video detailing bug bounties, such as basics, legality issues, where to begin etc. Again maybe it's just me but I think this could be a hot topic edit: I should also mention, I understand this information is out there, but was thinking it could be useful as kind of a one-stop-all video
Im planning to do that on my schools web server for us students. I found a LPE so I can overwrite other ppls websites or even the index of the whole website. I cant wait to see everyone‘s reaction :P
@@mactalk2871 One of my classmates back in school also tried something, and I think he got in, but the schools system noticed him because he was doing it during IT class, in the school so they called the police on him :D but fortunately for him he school dropped the case againist him. And I also remember that the IT teacher said the he knows the grading system is vulneratble to SQL injection :) (but I don't think my classmate was doing this)
@@Psanyi42 a first-year student tried to use SQL injection on our uni's main website and was able to break the database. Admins were furious and I believe demanded his expulsion. My teachers' response was along the lines of "how dare you be blame a freshman, who only just learned what SQL is, for this. Every one of our students knows this is dumb and you shouldn't even have your job of you don't know that"
I know you're joking, but just in case: such a bug is never the fault of one person. This is a chain of oversights across multiple teams; devs, system architects, and system security, to name a few.
When interacting with services to the scale of Google. They will be vulnerabilities particularly in configuration (here the staging dogfood API routed by the GSLB and the GSLB from deployment manager). He is impersonating one major GCP service then one major google internal engine through the SSRF.
Shows the reality of what it takes and the amount of work to find just on vulnerability. Also shows how dangerous these exploits are the companies vulnerable to it. 👍
@@bellabear653 I know rigth like what the fuck...give him a mil or something, i wouldnt even submit that sht...but then again i only know pc power button on and off
@@hexadecimalhexadecimal5241 Well google zero days can be very dangerous and since most of the world uses it makes it worth a lot of money. I am surprised people bother helping Google find these exploits for that kind of money. This company earns billions.
I'm a high school student and I'm honestly seriously considering going into security vulnerability research rather than computer programming, this field is insane
Most CS students' only experience before college is programming their calculator in math classes. Plus having experience doesn't necessarily mean being good. And being good at coding isn't such a huge advantage either, since CS isn't about programming. Being somewhat proficient in C, JS and Python for instance won't help much with your calculability and complexity theory classes for instance, beside perhaps having heard of the P=NP problem, Turing machines, halting problem, and the Big O notation before. Unless you also have experience with using the pumping lemma to prove that a particular formal language is non-regular.
Or your math, physics, networking, security, operating systems, programming language theories, and compiler ones (and so on). Even for an algorithm course: do you have experience with dynamic programming to solve problems like the Tower of Hanoi puzzle, shortest path in a graph (Dijkstra, Floyd), or obtaining the maximum a posteriori probability estimate of the most likely sequence of hidden states that results in a sequence of observed events in the context of hidden Markov models (Viterbi algorithm)? I'm not showing off, I'm simply trying to show you that CS is about as much about programming as math is about numbers. Which is to say, it's about much much more than that. Not to mention that a functional programming language like Scheme is taught first in lots of university. While you can use the functionnal paradigm in some modern multi-paradigm languages like JS and Rust, it's not what most people do before college. Unfortunately so, since ML is amazing and arguably one of the most important language ever created. Anyway, good luck in your studies!
I didn't understand half of what Ezequiel explained ... but I swear to god, when they got to the enum, the first thing that came to my mind was the value 'GSLB' :D great job, though
Holy Moly, Ezequiel is freaking master mind. This was very interesting, very educational and I wish I just had 1/3 of that knowledge and be able to assemble pieces of puzzle like this. Congratz, you deserved!!!!
Second time I watch this video, and I still find it awesome! As I understand, besides the prizes, Google should offer him a proposal for hiring, now or soon. He proved to be a great asset.
I'm glad I managed to guess the "transport" right! What a shame would it be if he gave up at that point, especially since the answer is so obvious. But people like him just don't seem to give up. Amazing job.
Anyone who's hacked a machine called Quick on HTB will know how cool this is because the machine involved compromise of HTTP/2. I learnt a lot about protobuf and gRPC on that box but unfortunately that was the last time I ever heard or dealt with it again,pretty cool to see a real world implementation of this. Shout out to HTB for the dope hacks.. Excellent work Ezequiel👌🏾💯
Thank you for these Videos! Its always amazing hearing about those exploits. Having them presented in such a great format really helps with accessibility.
Imo the most important vulnerability in this bug in their cloud API is that most probably other google cloud clients that had an app deployd were exposed also.
This is a fraction of what a employee would make and they dont have to give any other benefits. They get to crowd source their security and not pay an employee
the thing is google has people trying to check those issues. But noone of those found the issue, so the tactic is to make it easier, more legal and still pretty lucrative to tell google when you find stuff like this, instead of risking your own head and google risking big biiiig trouble if they wouldn't pay for stuff like this. Imagine someone finding rce and going for the biggest payday they could. Imagine how much the hacker would earn (probably 10x what google pays, but they risk it not working at all and them going to prison) and imagine what it would cost google... probably billions.
@@mzaki8503 ikr ..i have seen some commie cuck lords on twitter saying google, amazon pay less to their employees while per capita of their employees is highest in the world
I work at one of these big companies and he knows more than I know about our own systems lol. I wish I had his ability to read documentation. My eyes just glaze over when I have to read docs :/ to be clear, what I meant is that I havent spent time trying to learn our systems as deeply as he has learned google systems. but to do that you need to read docs :P I didn't mean google systems but my company's internal systems in general lol
TheOrganicartist this feels out of place, but I'm genuinely curious since you're sharing information like that. Interesting to see the diverse group of people who watch these kinds of videos.
164k Dollars is such a small amount considering the damage that could be done with this vulnerability ... It's a very smart move from companies doint those competitions for their own security measures but I think in this case they could have been a bit more gracious with the amount of money :D
Exploits like this are always caused by lack of someone doing something they should do. Something simple overlooked and/or not checked, at some crucial spot. Still impressive because I'm not sure how he could just find that out somehow externally.
"we concluded that you won the prize","we wanted to surprise you in person", that is definitely eduardo vela's voice.. well blurring doesn't help in this case :P
@@appio4345 I don't know who that guy is, I don't know how he looks like, never heard of that guy before. What privacy are you talking about? Just a name doesn't say anything and if his name (alongside with a photo or a voice) has been published in press before, then I guess their privacy has been already invaded, don't you think?
@@appio4345 Its all in Good faith. Who doesn't know him. He leads GOOGLE'S VRP program and a very cool guy. They are also not talking anything sensitive there ok.
"The Google SRE book he mentions is really cool. It's been on my reading list for many, man years.... But I cannot read books, so I never did." XD I'm DED lol
@@chrislang2118 @aloufin I suspect he doesn't have the ability/experience/motivation to focus in that particular way. It's my experience that reading books is something I can get into, but the thought of it always seems difficult if it's been a while since I read several books consecutively. I've been planning for a while to get some quality tech books, finally will have the money for shortly. Looking forward to learn subjects in depth while simultaneously getting some sorely needed break from too much screen time...
There are a lot of books I want to read, but I just lose interest or focus a few minutes in. I have a better time listening to audio or watching a video/presentation than reading a book. Books aren't for everyone. Might be the case for him too.
Im just learning what packet sniffing/editing is so I think this is way over my head, but good video. I will rewatch after my training arc and see how much I understand then.
I love how humble he is and how he just calmly explains what he did. He's probably smarter than a ton of cybersec people who are working in good jobs in the states who tend to talk down or act like they are so high up than all of us.
why not just get into it then? sounds like you already have the fundamental skills down, just read the terms of a public bug bounty program like Google's one and happy hacking!
![[DRAGON BALL LEGENDS REVEALS & STUFF] LEGENDS FESTIVAL 2024 Special Edition Part 1](http://i.ytimg.com/vi/mV5bGIswTtQ/mqdefault.jpg)
i’ve never seen someone look so chill about winning 160k
probably shock lol
It's because hacking it got him far more pleasure
I am so deep in debt, receiving that news would make me cry, A LOT.
@@gidedin Feel sorry for you ☹️☹️
Is he from Brazil? Might be afraid he'll get kidnapped or some shit after this video releases lol
More software companies should act like this, you need to get these people on your side.
google has a lot of pros and a lot of cons. but from my view point, it has way more pros than cons. Google likes to remember they were built by engineers and the only way to win is to get engineers on your side
@@pvic6959 i agree with your comment, especially google's policy of the 80/20 rule where 1/5th of the time employees can pursue their own ideas and self organize. However, I was severely disappointed when they officially changed their company moto away from "Don't be evil"
[The original motto was retained in Google's code of conduct, now a subsidiary of Alphabet. In April 2018, the motto was removed from the code of conduct's preface and retained in its last sentence.]
If that wasn't a warning sign I am a platypus.
@@TheOrganicartist I agree with you as well and am deeply disappointed too. i personally know a few googlers and they were very upset by that as well and there was internal uproar. but from what they say, their teams and leads carry on as if that is still the motto. of course, i cant say for sure but i have no reason to distrust them
I think its not part of Alphabets moto but it is still part of googles or something
Nah, they are too busy with their heads up their asses asking for "how to reverse a linked list" lol
@@nightking4615 someone's salty because they didn't pass the interviews :D
Ezequiel: "I'm not an expert on this"
Also Ezequiel: *Proceeds to hack Google*
He should go after Fusion and thorium-LFTR nuclear discussion
lmaooo 😁 truee-😂
@@subverter1.188 there is a theory about that, dumb people thought they were smarter than they were and smarter people thought they were dumber than they actually we're
@@banni4291 dunning kruger effect and imposter syndrome?
Google: am I joke to you?
I love how he's like "I'm not an expert on this"
The humble ones are the wisest
Neither is google I guess
the more you learn the more you know you are not an expert.
It is a weird feeling. You start something new and be like: I will be an expert in this. Then you dig deeper and realize that you are a total noob. And then comes a moment when you can answer somebody else a question to that topic and you feel like: Hey i am not a total noob anymore. It is such a good feeling to help others with something you achieved with hard work. And maybe some day they can help you too.
@@Andre-ih1yg Dunning Kruger effect?
He's got some impostor syndrome
How can this dude hold his head up with so much knowledge in it
😂Lol
abahahahahaha
he is not an EXPERT
@@alifellahi the more you know....
800th like
"Now you can maybe see where all of this is going".
I have absolutely NO idea my friend.
Well, I could see where it could go, but would have thought it wasn’t viable at 3 or 4 points where Ezequiel managed to find a way to progress...
Welcome to the club, dude 😎
@@M______M isnt GLSB the pro gay-lesbian movement thing
😂😂me too
@@empnadajhhh9469 😂😂
Pretty cheap way for Google to find major flaws that would cost them millions to fix
Yup. Significantly cheaper to fix issues like this proactively rather than reactively.
Yep they can hire hundreds of ppl for 133k or a pentester would cost like 500k-1m for how many’s servers google has
@@SP1KEY But not all hundred people can find the bug that this guy found. That's why they hold such competitions.
Google are very clever
Many companies do this
meanwhile im struggling to center a div in css
Thats okay, hard problems like that take atleast a week to solve. Atleast if someone is paying you for it
display: flex 💪
@Geralt Rivia display:flex;
place-items:center;
flex-direction:column;
margin: 0 auto;
LOL
Imagine he used the issue tracker API and created an issue that described this exact bug for the internal team, That would've been scary.
Wasn't that a GET request? I might be wrong
@@vishnuprasanth4725 yeah it only performed get requests.
New priority issue: “I made this issue via SSRF.”
lmfao. genius.
Having the PR team on standby was great
I thought hackers just typed at the keyboard for 5seconds and then say "I'm in"?
No lmfao that's just in movies
@@tonkatruckgaming5724 wow really?
Only when the password is 1234 :)
@@tonkatruckgaming5724 main bhi shaamil , lol
ic
password its literally 8 stars... *******, mind games :^)
In Uruguay with 1K/month you can be 'ok'. Im so glad for him
Im from Uruguay, as soon as a heard my country's name i was shocked. Most people dont even know where Uruguay is, but we got this boy killing it rn hahahaha
Yo también ,vamo arriba la celeste
me fui a uruguay una vez y lo amo
jajajajajajjajajajahahah
If we leave the US out of it, I think most people know where Uruguay is!
I think a lot of people know about Uruguay and know where it is. Especially football fans because of Suarez, Cavani, Forlan, Godin, etc.
That protobuf enum trick was really cool, props to him.
You know what would have been funny, is if he figured out how to make a issue on the internal issue tracker for this bug
Yah that's not within terms of the hackathon, to manipulate data. You'd lose the prize money and probably your reputation in the field!
@@DIANA-1337 also, it sent get requests
I've seen this video a thousand times and everytime I get so happy seeing him smile upon learning he won the GCP Prize. Awesome job.
Being from Mexico, seeing a fellow Latin American be so smart in coding really makes me proud
you people expert at that white flour thing that sometimes sneak into nose
@@morlarav602 Completely unprovoked
Maybe it's just me, but I would love it if you could possibly make a video detailing bug bounties, such as basics, legality issues, where to begin etc. Again maybe it's just me but I think this could be a hot topic
edit: I should also mention, I understand this information is out there, but was thinking it could be useful as kind of a one-stop-all video
I agree.
backing this up
Didn’t he make a video about that a while ago? Or am I going crazy?
@@gavintantleff maybe, pls do send ?watch if you know it
I'm from Uruguay and I'm proud of Ezequiel 🇺🇾
What I love about this is that it looks like he was just having fun while learning something. I love it!
It would be nice if more companies would act like google. One more nice thing would be to hire guys who have such a talent
lol i would not be surprised if that option was given to him. also if he just applies regularly, Im sure this looks great on his resume
He worked for some time at Google as an intern, then he got an offer from Facebook as a Security Analyst(just few months back).
Exploiting this bug I would have created a new issue in the google issue tracker :)
That would be funny 😆
Im planning to do that on my schools web server for us students. I found a LPE so I can overwrite other ppls websites or even the index of the whole website. I cant wait to see everyone‘s reaction :P
@@mactalk2871 One of my classmates back in school also tried something, and I think he got in, but the schools system noticed him because he was doing it during IT class, in the school so they called the police on him :D but fortunately for him he school dropped the case againist him. And I also remember that the IT teacher said the he knows the grading system is vulneratble to SQL injection :) (but I don't think my classmate was doing this)
@@Psanyi42 a first-year student tried to use SQL injection on our uni's main website and was able to break the database. Admins were furious and I believe demanded his expulsion. My teachers' response was along the lines of "how dare you be blame a freshman, who only just learned what SQL is, for this. Every one of our students knows this is dumb and you shouldn't even have your job of you don't know that"
@@vinno97 Your teacher has a brain
The prize is a years salary of the engineer that got fired for leaving this bug in their deployment service
Google would end up without engineers then.
I can guarantee nobody got fired for this.
By the rate google is fixing CVE‘s in Chrome, there would now be 5 ppl left working at Google
I know you're joking, but just in case: such a bug is never the fault of one person. This is a chain of oversights across multiple teams; devs, system architects, and system security, to name a few.
When interacting with services to the scale of Google. They will be vulnerabilities particularly in configuration (here the staging dogfood API routed by the GSLB and the GSLB from deployment manager). He is impersonating one major GCP service then one major google internal engine through the SSRF.
Shows the reality of what it takes and the amount of work to find just on vulnerability. Also shows how dangerous these exploits are the companies vulnerable to it. 👍
I LOVE how the prize amount is literally “LEEEET”! Lol
This is the way :D
You do understand that bug he found would be worth a 100s of millions of dollars to them.
It's not good money this kid deserved much much more.
The first winning is also leet, it is e-leet.
@@bellabear653 I know rigth like what the fuck...give him a mil or something, i wouldnt even submit that sht...but then again i only know pc power button on and off
@@hexadecimalhexadecimal5241 Well google zero days can be very dangerous and since most of the world uses it makes it worth a lot of money. I am surprised people bother helping Google find these exploits for that kind of money. This company earns billions.
I'm a high school student and I'm honestly seriously considering going into security vulnerability research rather than computer programming, this field is insane
dont you have to be good at programming to understand computer vulnerability?
@@swagm8919 You really think I'm considering computer science without having experience programming?
@@tgrcode wdym alot of people get into CS from college
Most CS students' only experience before college is programming their calculator in math classes. Plus having experience doesn't necessarily mean being good. And being good at coding isn't such a huge advantage either, since CS isn't about programming.
Being somewhat proficient in C, JS and Python for instance won't help much with your calculability and complexity theory classes for instance, beside perhaps having heard of the P=NP problem, Turing machines, halting problem, and the Big O notation before. Unless you also have experience with using the pumping lemma to prove that a particular formal language is non-regular.
Or your math, physics, networking, security, operating systems, programming language theories, and compiler ones (and so on). Even for an algorithm course: do you have experience with dynamic programming to solve problems like the Tower of Hanoi puzzle, shortest path in a graph (Dijkstra, Floyd), or obtaining the maximum a posteriori probability estimate of the most likely sequence of hidden states that results in a sequence of observed events in the context of hidden Markov models (Viterbi algorithm)? I'm not showing off, I'm simply trying to show you that CS is about as much about programming as math is about numbers. Which is to say, it's about much much more than that.
Not to mention that a functional programming language like Scheme is taught first in lots of university. While you can use the functionnal paradigm in some modern multi-paradigm languages like JS and Rust, it's not what most people do before college. Unfortunately so, since ML is amazing and arguably one of the most important language ever created.
Anyway, good luck in your studies!
I didn't understand half of what Ezequiel explained ... but I swear to god, when they got to the enum, the first thing that came to my mind was the value 'GSLB' :D
great job, though
I'm noob, but would by any chance just calling INT numbers work on a Enum system? like a small bruteforce from 0 to 100 eventually, get something?
@@arduing9589 No it wouldnt work, thats exactly why its an enum. And for more readability ofc.
@@stylishskater92 was wondering too. thanks for explaining
Wow, this is amazing. Shows it pays to RTFM and sticking to a particular target. Nothing comes easy. Thank you for this amazing walkthrough video ❤️.
this is a whole documentary :D
Holy Moly, Ezequiel is freaking master mind. This was very interesting, very educational and I wish I just had 1/3 of that knowledge and be able to assemble pieces of puzzle like this. Congratz, you deserved!!!!
this guy is amazing! Really good detective work.
I love it when the i banner covers up the very small advertisement text in the top-right corner.
This Video actually says: "Never Give Up" & " Believe in Yourself"
Fenil: I needed a message like this. Thank. I'll keep that in my mind all the time.
Second time I watch this video, and I still find it awesome!
As I understand, besides the prizes, Google should offer him a proposal for hiring, now or soon. He proved to be a great asset.
He was hired my google
"I'm not an expert on this"
Yeah, nor Google 😂
Experts blunder too.
Slipping up on one endpoint out of hundreds you build doesn't imply lack of expertise.
I'm glad I managed to guess the "transport" right! What a shame would it be if he gave up at that point, especially since the answer is so obvious. But people like him just don't seem to give up. Amazing job.
“Do you see where this is going?”
Me: Absolutely not
Anyone who's hacked a machine called Quick on HTB will know how cool this is because the machine involved compromise of HTTP/2.
I learnt a lot about protobuf and gRPC on that box but unfortunately that was the last time I ever heard or dealt with it again,pretty cool to see a real world implementation of this.
Shout out to HTB for the dope hacks..
Excellent work Ezequiel👌🏾💯
I love how they threw the 1337 in there. True nerds.
Orange is absolutely my favorite broadcaster in the world of Application Security. What an amazing intellect!
Grande Ezequiel representando Latinoamérica :)
Sólo urguguay😎
@@alexitoyt1130 shhhh
@@alexitoyt1130 solo a el 😎
Don't understand a single thing. Just here to sleep. Soothing & calming voice.
this gives me alot of confidence when not understanding something the first time lol
My heart just get enlightened by these type of findings
And yes soo humble. This guy cannot have a price on his head.
Thank you for these Videos! Its always amazing hearing about those exploits. Having them presented in such a great format really helps with accessibility.
I love that the price tag for this bug is a long LEEEEET :-)
Imo the most important vulnerability in this bug in their cloud API is that most probably other google cloud clients that had an app deployd were exposed also.
The caption at 20:50 should be "GSLB addresses". The SRE book publicly documents BNS addresses as /bns//// . Keep up the good work :-)
Excellent video.!!! .. and remarkable the reasoning that used Ezequiel Pereira !!!.. Congratulations
This is a fraction of what a employee would make and they dont have to give any other benefits. They get to crowd source their security and not pay an employee
the thing is google has people trying to check those issues. But noone of those found the issue, so the tactic is to make it easier, more legal and still pretty lucrative to tell google when you find stuff like this, instead of risking your own head and google risking big biiiig trouble if they wouldn't pay for stuff like this. Imagine someone finding rce and going for the biggest payday they could. Imagine how much the hacker would earn (probably 10x what google pays, but they risk it not working at all and them going to prison) and imagine what it would cost google... probably billions.
Yea right poor employees. Google's employee TC is the highest in Silicon Valley and probably the entire world
@@mzaki8503 ikr ..i have seen some commie cuck lords on twitter saying google, amazon pay less to their employees while per capita of their employees is highest in the world
Negative Nancy
I work at one of these big companies and he knows more than I know about our own systems lol. I wish I had his ability to read documentation. My eyes just glaze over when I have to read docs :/
to be clear, what I meant is that I havent spent time trying to learn our systems as deeply as he has learned google systems. but to do that you need to read docs :P I didn't mean google systems but my company's internal systems in general lol
TheOrganicartist this feels out of place, but I'm genuinely curious since you're sharing information like that. Interesting to see the diverse group of people who watch these kinds of videos.
@@TheOrganicartist I'm definitely going to do the egg + vinegar thing ❤
@@TheOrganicartist This might be the most informative comment I have ever read on RUclips. Thank you man
He says he had to read it 4-5 times and he still didn't fully understand what it does. Don't worry, you're normal :)
@@Antaquelas I think this is the best compliment I have ever received on the internet!
\o/ I'm happy to help.
Google should give a job for this talented person 🔥
You lose your freedom when you work at Google
@@StefanReich I don't think so, still most people in google have a lot of freedom
@@imuser007 Yeah they have good PR. That happens when you have good PR people.
Imagine wanting to work at Google . ewww
It’s the reason he found the bug, you always want outside eyes with no bias or policy etc
I have no idea about what's going on here, but still interested in watching this video
Truly amazing work by Ezequiel, awesome video as well! Congrats!
Insane, Well Done Ezequiel! Looks like I need to understand APIs way more.
I think gRPC is so cool and I love the creative use of it to enumerate values for fields. Really really awesome work!!!!
my head hurts by looking at the gibberish codes but somehow he just make sense of it :)
Congrats on Winning the Big Prize and you deserve it Ez!
That was so cool and informative, I learned a ton about behind the scenes server stuff, great video!
I am looking at the blurred pics of the Google team and trying to find a long-haired polish guy :D
do they work at the seattle branch, i might know them.
Who???
He is making a reference to Gynvael :)
@@Antaquelas who is he?🤨
@@Antaquelas Well more than one Seattle google person fits that description, so forgive my mistake of not recognizing the reference ;D rofl
Plot twist: the prize is paid in the form of GCP Credit.
ROFL.
Haha no way
That would be hilarious, but since they use $ sign it kinda means its paid in USD
Ezequiel: "I'm not an expert on this"
2 week later
Ezequiel: I'm in 🤣
Live overflow the actor: “oh!”
I'm uruguayan and i didn't was expecting this.
25:04 coming up with that idea is ingenious!!!
@14:51 what what program was he using to capture requests and responses? .... great video btw and congrats @Ezequiel Pereira
I believe it was Burpsuite
same question,
in the top right, advertisement is shown throughout the video
164k Dollars is such a small amount considering the damage that could be done with this vulnerability ...
It's a very smart move from companies doint those competitions for their own security measures but I think in this case they could have been a bit more gracious with the amount of money :D
probably one of the better breakdowns on yt, at least for now
29:35 "GSLB" was actually my first guess, since he wants to use gslb, i thought that was the obvious choice lol
Yeah sometimes even the gurus can miss 'obvious' stuff like this
Thanks a lot. This is fun and unremarkable. Congrats to Eziquiel
this bug/video was super interesting, this is why i love liveoverflow lmao
How a person could learn such complex things in his lifetime is beyond me.
Exploits like this are always caused by lack of someone doing something they should do. Something simple overlooked and/or not checked, at some crucial spot. Still impressive because I'm not sure how he could just find that out somehow externally.
Uruguay Uruguay, proud of you !!!
Plot twist: he has a friend that works at Google
This was extremely well figured out and i learnt a lot by watching this video. Well deserved bugbounty (and great writeup / filmup
"What's your name?!"
"Ezekiel"
Indeed it is.
i read the article earlier and i was really happy to see the first line mentioning your video
jsut to brag a little : my first thought was : "its probably glsb"
Too bad it was gslb ;-)
@@andrewtaye gbsl ?
Feel like re-liking this video every time I watch it. That's an intriguing thought flow Ezekiel has!!
Aye! Good job love the expression on his face🏆👍🏾
Vamos Sudamérica carajo! Felicitaciones Ezequiel!
not anywhere close to being the first or closest, just here for the enjoyment :)
Nice work buddy 👊 And smart move Google... easiest way to find your flaws
Every time Ezequiel throws a rock, he hits a private Google server. What kind of luck is that? I guess perseverance does pay.
what kind of Luck ?
Very cool discovery! But I wonder if it's okay to reveal these sorts of internal URLs, stage naming convention and so on a public video
"we concluded that you won the prize","we wanted to surprise you in person", that is definitely eduardo vela's voice.. well blurring doesn't help in this case :P
Not cool to expose him like that, respect their privacy
@@appio4345 I don't know who that guy is, I don't know how he looks like, never heard of that guy before. What privacy are you talking about? Just a name doesn't say anything and if his name (alongside with a photo or a voice) has been published in press before, then I guess their privacy has been already invaded, don't you think?
@@appio4345 Its all in Good faith. Who doesn't know him. He leads GOOGLE'S VRP program and a very cool guy. They are also not talking anything sensitive there ok.
Your channel only gets better! I'm a huge fan!
"The Google SRE book he mentions is really cool. It's been on my reading list for many, man years.... But I cannot read books, so I never did." XD I'm DED lol
does he have a learning disability? I don't get the joke lol
Same I don't understand
@@chrislang2118 @aloufin I suspect he doesn't have the ability/experience/motivation to focus in that particular way. It's my experience that reading books is something I can get into, but the thought of it always seems difficult if it's been a while since I read several books consecutively. I've been planning for a while to get some quality tech books, finally will have the money for shortly. Looking forward to learn subjects in depth while simultaneously getting some sorely needed break from too much screen time...
There are a lot of books I want to read, but I just lose interest or focus a few minutes in. I have a better time listening to audio or watching a video/presentation than reading a book. Books aren't for everyone. Might be the case for him too.
Maybe I'm just stupid, I googled but couldn't find anything about BNS addresses, could someone explain what they are?
Anyone else notice the price money says LEE, EET?
That’s the point. It was done as a joke
Im just learning what packet sniffing/editing is so I think this is way over my head, but good video. I will rewatch after my training arc and see how much I understand then.
14:50 What program is it?
Looks like Burpsuite to me
Easy to follow, yet I would not have come to his method on my own. Kudos to him!
Oh, google meet.
yeah this is more than just sponsored :)
I love how humble he is and how he just calmly explains what he did. He's probably smarter than a ton of cybersec people who are working in good jobs in the states who tend to talk down or act like they are so high up than all of us.
Wie stark soll dein deutscher Akzent sein?
LiveOverflow: Ja
This makes me want to get into this, I already liked finding security vulnerabilities at my company as a SWE
why not just get into it then? sounds like you already have the fundamental skills down, just read the terms of a public bug bounty program like Google's one and happy hacking!