$10,000 Google Bug Bounty: How a Deserialization RCE in AppSheet Could Have Led to Remote Code…
1 min read
Summary
In September 2022, a security researcher identified a dangerous vulnerability in Google’s app platform, AppSheet.
The platform featured an automation procedure allowing outsider access to potentially manipulate or execute code.
Using the Automation feature in AppSheet, the researcher sent a customised JSON body, which the platform deserialised without validation, enabling the researcher to pass arbitrary .NET object types with method calls.
This could have allowed the researcher to execute arbitrary commands on Google’s servers and potentially steal sensitive enterprise data, deploy malware/ransomware, or obtain insider access to the Google Cloud Platform.
After responsible disclosure, Google awarded the researcher a $10,000 bounty and fixed the vulnerability by enforcing type whitelisting during deserialisation and sanitising automation payloads to prevent system process spawning.