Google App Engine Flaws DescribedBug Hunter Outlines Discoveries in Java Version
A veteran Java bug hunter has disclosed details of what he says are previously unreleased flaws in the Google App Engine for Java.
Adam Gowdiak, CEO and founder of Poland-based Security Explorations, detailed the flaws in a May 15 post to the Full Disclosure mailing list. On the Security Explorations website, meanwhile, he published a technical report and accompanying proof-of-concept attack code, based on the security vulnerabilities and attack techniques discovered as part of an ongoing Google App Engine for Java security research project.
Gowdiak says his decision to release details of unpatched flaws in Google software was driven by the company's failure to communicate with him in a timely and forthright manner, as well as it having made three different "silent fixes" based on his bug reports.
When asked to comment, a Google spokeswoman replied: "A researcher recently reported a known issue affecting a preliminary layer of security in Google App Engine. We're working with him to mitigate it; users don't need to take any action."
Google App Engine allows developers to build Web applications and run them using Google's infrastructure. Four flavors of programming languages can be used: Python, Go, PHP as well as Java. And to date, Gowdiak says he's found 41 problems in Google App Engine for Java, which he says is fast approaching the number of individual flaws that Security Explorations has found over the years in the Java runtime environment, or JRE. Some of those flaws could be used to escape the GAE sandbox, although none of the newly disclosed - and as yet - unpatched flaws involve sandbox escapes.
Flaws Found in Security Layer
"The irony is that all of the bugs reported to Google so far were specific to the 'extra security' layer implemented on top of JRE that aimed to protect GAE against ... security vulnerabilities in Java," he says.
Since November 2010, Google has offered a Vulnerability Reward Program that now pays security researchers between $100 and $20,000 for exploitable flaws in Google properties that they find and report to Google.
In recent months, Google's dedicated Project Zero bug-hunting team has begun informing vendors of vulnerabilities it has discovered in their products, giving them just 90 days to issue a fix before details of the flaws are automatically released to the public (see Google's Psychological Patch Warfare).
Gowdiak says he has sent to Google proof-of-concept exploit code to demonstrate how the flaws in Google App Engine for Java could be exploited. "It's been 3 weeks and we haven't heard any official confirmation [or] denial from Google with respect to Issues 37-41," he says in the May 15 post. "It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and/or consult the source code. This especially concerns the vendor that claims its 'security team has hundreds of security engineers from all over the world' and that expects other vendors to react promptly to the reports of its own security people."
Gowdiak says Security Explorations only found out that Google planned to patch two problems - identified by the firm as "issues 35 and 36" - after it noticed that its proof-of-concept code for those two vulnerabilities stopped working.
By going public with these flaws, Gowdiak says he risks that the $20,000 he's been promised by Google's Vulnerability Reward Program - relating to three of the flaws he discovered, as well as details of a fourth flaw that Google initially failed to fully patch - will be canceled. "Google rewards cannot influence the way a vulnerability handling/disclosure of a security research is made," he says. "They cannot be a hostage of any vulnerability reward."
Google declined to respond to a question about whether it would still award the promised bug-bounty funds to Gowdiak.
Via Twitter, multiple fellow vulnerability researchers voiced support for Gowdiak's disclosures, including his willingness to walk away from the Google bug bounty.