[leesalminen]

A few months ago I stumbled upon a bug in a state machine that allowed me to obtain stuff without having to pay for it. It was a weird combination of steps and was kind of hard to explain.

I submitted a ticket to the support team advising them in painstaking detail the steps needed to reproduce this vulnerability. They could also look at my account and see that I got stuff without paying.

A couple days later I got a reply from a support manager that my concern wasn’t valid and there was no bug.

The next week I happened to be at a conference where the company in question was a sponsor. So, I visited their booth and spoke with the VP of Eng. He asked me to forward the ticket to security@. Within 8 hours I got a reply from them saying that they had fixed the bug.

I guess I’m saying that even if Google let you submit a support ticket it might get ignored because they aren’t trained to deal with security reports.

[quietbritishjim]

There are quite a few post on Raymond Chen's "The Old New Thing" blog about bogus security reports e.g. this one [1] from 2022 or this one [2] from 2006. They're often described as requiring you to already be "on the other side of this airtight hatchway" (a Hitchhiker's Guide to the Galaxy reference) because you already need admin rights in order to get admin rights.

That seems to suggest that Microsoft takes all security reports seriously even if most turn out to be bogus.

[1] https://devblogs.microsoft.com/oldnewthing/20221004-00/?p=10...

[2] https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...

[sillystuff]

If MS really investigates all bug reports that is good. But, it seems like this should be expected?

From misc. articles I've seen (mainly posted here on HN; I don't buy MS products) MS dismisses bug reports as unimportant and sometimes takes an extremely long time to address known security vulnerabilities.

This VM escape was initially reported as an RDP bug that MS dismissed as unimportant, until it was used as a VM escape against their hypervisor.

https://www.bleepingcomputer.com/news/security/microsoft-ign...

The (in)famous pass-the-hash bug in windows is an example of MS not addressing serious security issues in a timely manner. Windows treats a password hash as equivalent to the password, so you don't even need to crack hashed passwords you've collected from e.g., the registry to authenticate to windows services (MS "protected" against this attack purely client-side). Microsoft acknowledged the issue was real more than a decade before even attempting to fix it.

Apparently it was a difficult bug that included design failures, but over 10 years and multiple versions of windows for an exploit this severe?

A couple days ago a Google Cloud container escape made HN front page. Comments on that article indicated Microsoft Azure had recently suffered the same, but while Google only allowed access to other containers owned by the same tenant, Microsoft's escape allowed access to all tenants on the same host. Google added a second layer of safety in case the first failed (a dedicated VM per host per customer to run each costumer's containers). Microsoft YOLO'd. I don't care enough to research these claims beyond noting that at the time I read them, no one had disputed them.

I don't know if Microsoft is overall still worse than its competitors WRT to security (I suspect it is true). But, Microsoft is certainly not an exemplar for how security should be done.

More on-topic with main thread, nonexistent support is kinda what Google is known for?

At least Google now uses abuse@gmail.com for reporting abuse from their infrastructure instead of forcing the reporting party to go through a god-awful web form (when I handled mail at past orgs, I didn't even bother reporting gmail abuse due to the hoops they made you jump through back then; I also used the RFC-Ignorant RBL to punish them and other sites that did not use the RFC mandated email addresses for reporting abuse with a higher bias toward triggering a SPAM tag on their mail).

Perhaps time for an RFC that mandates security contacts?

[LoganDark]

> The (in)famous pass-the-hash bug in windows

I can't find any articles for this whatsoever on Google. No matter how many times I include "windows" or "microsoft" (quoted or otherwise) I only get clickbait SEO-spam articles talking about pass-the-hash vulnerabilities in general, not any description or reference to a specific incident in Windows.

Could you please link some article about this so I can read about it?

[salynchnew]

Try: https://www.coresecurity[.]com/sites/default/files/private-f... for a discussion that mentions Paul Ashton's PtH toolkit from ~1997 or so.

[LoganDark]

please don't defang that link. It makes it nearly impossible to access in my browser. Right clicking to copy doesn't work (no "Copy" option in context menu). Selecting to copy doesn't work, because HN cuts off the link. I had to open developer tools just to grab the value of the `href` attribute and then edit out the brackets.

But thank you for the PDF, it seems like an interesting read!

(non-defanged link for any future visitors: https://www.coresecurity.com/sites/default/files/private-fil...)

[debarshri]

People are just optimizing for the job they have assigned to in large organisation as compared to smaller orgs where ownership is with everyone. In this particular case, support manager optimized for their own KPI which could be number f tickets resolved or closed. Whereas, VP Eng. who is probably the owner of the problem statement care more about the issue.

[toomuchtodo]

To your point, there should be some easy way to get a security incident report to the security team through an easily discoverable form or similar. This is as easy as "security incident" option in a support ticket drop down, and triage is required whether this is an ingest point or security@ email.

[jonas-w]

Like security.txt?

https://securitytxt.org

For example: https://www.google.com/.well-known/security.txt

[toomuchtodo]

You and I know this, but if you're not a security practitioner, you might not know. It might as well then be behind a door for a room with a sign that says "Beware of the Leopard."

I understand some scrappy startups like Google don't have the resources to have someone review security incident reports that come through a web form, but maybe they should if they want to be a legit cloud provider?

Googling "report google cloud security issue" does not turn up productive results. Compare to what you get when you google "report aws security issue."

[NavinF]

The 3rd result for "report google cloud vulnerability" is productive

[killjoywashere]

Isn't that what the bug bounty program is?

https://bughunters.google.com/

Also, it doesn't shock me that somebody got a common group name early on in an internet-scale service's lifecycle. I've had a couple such experiences. Simple example: in the early days of Google Hangouts, you could choose your own meeting name in the URL. I chose "compass" for a meeting and accidentally landed in a meeting of Google engineers who were very surprised by my appearance. Fortunately my meeting was a meeting I had arranged so I beat feet and changed my URL to the default auto-generated URL before the rest of my participants arrived.

[lazide]

Fun times when it becomes common knowledge that to get attention if support isn’t working is to claim a security incident - and everyone starts doing it, hah.

[kadoban]

That's pretty easy to deal with: respond with only "not a security issue" if it's not.

Or, actually have support, but that's not Google's style.

[wdb]

I can tell you “your obtain stuff without paying by doing a weird combination of steps” is happens quite a bunch of times and is not a bug but some sort of easer egg. For a while there was a chain in Europe where if you scanned products in a specific order at the till it would be kick in difference price :)