School student gets $10000 from Google for something he did out of boredom

Boredom in school students is quite usual, but who could've guessed that this boredom would get a Uruguayan high school student, Ezequiel Pereira $10,000. As a part of Google's Vulnerability Reward Programme (VRP), Google offers rewards up to $2,00,000 to people who pin point bugs for them.

Pereira, however, had no idea that his finding was of any major consequence until Google responded with a reward sum of $10,000.

Pereira shared email screenshots of his exchange with Google security team. According to Pereira's blogpost which has an email exchange with Google security team, the vulnerability has been fixed and the student was also permitted to make the issue public.

The blog post stated, "On July 11th, I was bored, so I tried to find some bug at Google. I tried a lot of things in many Google services, one of those things was changing the Host header in requests to the App Engine server (*.appspot.com) in order to get access to some internal App Engine apps (*.googleplex.com) that usually require going through the MOMA login page....one of the websites I tried, "yaqs.googleplex.com", didn't check my username, nor had any other security measure."

He further added, "the website's homepage redirected me to "/eng", and that page was pretty interesting, it had many links to different sections about Google services and infrastructure, but before I visited any section, I read something in the footer: Google Confidential."

As soon as he detected the issue, Pereira reported it to Google but had no idea about the real impact of the bug he found. "At that point I stopped poking at the website and reported the issue right away, without even thinking of a better way to show the vulnerability than with Burp," the post read.

According to Google, the bug had pointed to few other variants which could have jeopardized sensitive data to an attacker.