Google awards student $10k for discovery of App Engine data leak flaw

Google has awarded $10,000 to a high school student for the discovery of a bug in Google's App Engine server which could lead to information disclosure.

This week, Ezequiel Pereira said in a blog post that he went bug hunting on July 11 simply due to boredom, and after several failed attempts, stumbled upon a way to change the Host Header in requests to the App Engine server without authentication.

The majority of his attempts to change the header -- in order to gain access to internal apps such as * which usually requires going through the Google MOMA login page to authenticate -- failed and returned 404 Not Found errors or security barriers.