←back to thread

Escaping the Chrome Sandbox Through DevTools

(ading.dev)
406 points vk6 | 3 comments | 17 Oct 24 05:55 UTC | HN request time: 0.612s | source
Show context
Etheryte ◴[17 Oct 24 07:57 UTC] No.41867389[source]
Given the severity, I can't help but feel that this is underpaid at the scale Google is at. Chrome is so ubiquitous and vulnerabilities like these could hit hard. Last thing they need to do is to send the signal that it's better to sell these on the black market.
replies(9): >>41867499 #>>41867548 #>>41867653 #>>41867666 #>>41867873 #>>41868146 #>>41868628 #>>41868995 #>>41869073 #
billy99k ◴[17 Oct 24 12:25 UTC] No.41868995[source]
I've made lots of money with bug bounties over the years and mostly stopped this year in favor of private consulting. Companies will try anything to get out of paying, even through the major platforms.

I once found a bug where I could access all of the names, addresses, emails, and phone numbers of all users for this new contest this company was running. I even found public announcements on Twitter. They told me this was a staging environment and wouldn't pay me. It clearly wasn't as the urls were linked directly to the announcement.

Another time, a company had an application that allowed other companies to run internal corporate training. I was able to get access to all accounts, information, and private rooms of all fortune 500 companies using it. They initially tried to get out of it by telling me they didn't own the application anymore (and immediately removed it from scope). I had proof it was in scope at the time I found the bugs (and even confirmed it before-hand with the platform).

Luckily, the platform I went through fought this and I got my payout...6 months later.

Even now, I have 50+ bugs that were triaged over the past year and the companies just sit on them and won't respond or pay out. Major platforms like Hackerone and Bug crowd don't seem to protect their researchers at all.

replies(1): >>41869233 #
1. alt227 ◴[17 Oct 24 12:56 UTC] No.41869233[source]
If they make excuses, sit on it, or dont pay out, release those bugs into the public domain, thats how this system works!
replies(1): >>41871105 #
2. billy99k ◴[17 Oct 24 16:23 UTC] No.41871105[source]
While I would love to do that, I still enjoy making a living in security.
replies(1): >>41879386 #
3. alt227 ◴[18 Oct 24 13:40 UTC] No.41879386[source]
Im genuinely interested here. If you made some security bugs public due to the company not cooperating properly, would that damage your reputation in the community to the point it would jeopardise your career opportunities?

From the outside looking in, it seems that the community would applaud that behavoir, but I am not familier.