Google Bug Bounty Report

Background

What is a bug bounty program?

How I found the vulnerability

After learning about Google Script with some friends, we wanted to see if we could find bugs/features in it.

We figured out that any user could send 999 Google Drive files per day, and each of them would send an email to the target saying that a file was shared with them.

After we tried changing the owner of the file to be the target, and one friend tried the script on me. I noticed that my Google Drive started filling up without me doing anything. This should not be possible.

The Vulnerability

All of this could be done automatically by a Google Script:

  1. Create a large file that takes up space
  2. Share it with the target
  3. Make them the owner
  4. Remove yourself as an editor

This would fill up the target's Google Drive without them doing anything, while not affecting you.

The Report Process

This being my first report, it was not well written.

After the report was submitted, I received a response saying that the report will be looked into.

Google's Final Response

"Hello,

Thanks for reporting this issue. We appreciate you taking the time to help us improve security.

We've taken a look and can confirm that this is a duplicate of an existing bug that we're already tracking. Unfortunately, this excludes the report from our reward program -- duplicate submissions don't qualify for reward or credit.

Best of luck in your future bug hunting."