Google fixes SQL Injection vulnerability

In June 2013 we discovered a SQL Injection issue in a google service, which was fixed by Googles security team very fast.

On the 13th June 2013 we wanted to find some security vulnerabilities in a google service. We decided to take a look at the diffrent websites of companies which were acquired by Google more than half a year ago. There is a list with nearly all acquisitions by google in a wikipedia article.

It was very easy to compile a list of domains, which are in googles bug bounty scope. We had a quick look at every single website. The domain “preview.meebo.com” seemed very promising. There were a lot of XSS vulnerabilities, what often is an indication for more vulnerabilities. After some more investigations, we found a SQL Injection on their website.

We contacted the Google Security Team about this issue using their contact form and we were very excited to choose the following option:

1

Immediately. If needed, get people out of bed.

It seemed like the website had not a broad reach and that it was not visited frequently. In our opinion this sql injection was not that critical to “get people out of bed”, but the diplayed info box stated that this option should be checked in case of a sql injection issue.

Already 4 hours after our submission we got the infamous response from the google bot:

1

Nice catch! I’ve filed a bug and will update you once we’ve got more information.

That means, that our submission was valid ;)

On the next morning we noticed that the subdomain was not online anymore and it looks like they will not bring it online again. It took Google 10 more days (07/23/2013) to inform us that the sql injection issue in the aquisition will qualify for a reward of $3133.7. (For non-geeks: 31337 stands for elite ;) ).

It took two more weeks (07/10/2013) until we were informed, that the issure was fixed, although the website was taken down the day after the submission. We have the honour to be listed in Googles hall of fame, even though in the wrong section.

Nevertheless we would like to thank Google to give us the opportunity to participate in their bug bounty program. We are happy that we could help one of the world biggest IT-companies.

The team of internetwache.org

Screenshots

Screenshot of the SQL Injection at meebo.com