In this video we hear the story how Ezequiel Pereira found a critical vulnerability in Google Cloud and was awarded $164,674 in total. This is a crazy bug, because it requires so much knowledge about Google internals. We will learn about Google's Global Software Load Balancer, BNS addresses and other Google secret tricks!
00:00 - Intro
00:33 - Meet Ezequiel Pereira
00:58 - The Impact Of The Bug
02:41 - Winning The $133,337 Prize!
04:03 - How To Find a Product To Research?
06:05 - How To Approach Google Products?
07:16 - The BEST Tip For Bug Hunters!
08:08 - What Does Deployment Manager Do?
09:00 - Type Providers: First Research Into Deployment Manager
11:03 - Using Type Providers for SSRF?
13:00 - Going Deeper - Finding A Hidden Version
15:01 - The Google Dogfood Version
15:52 - Discovering Internal Google Options - GSLB
17:34 - The Google SRE Book - Explaining Googles Software Load Balancer
19:34 - Exploiting GSLB?
21:58 - Failing to Exploit GSLB
22:28 - Abusing Protobuf To Find Hidden Enums
25:34 - Google API GRPC/Protobuf Tricks
29:11 - SUCCESS! Attacking Google's Network via GSLB SSRF!
30:34 - Summary