Adnan Khan's Blog

Recently, I reported a “Pwn Request” vulnerability in Google’s Flank repository. Flank is described as a “Massively parallel Android and iOS test runner for Firebase Test Lab” and is an official Google open source project.

The vulnerability allowed anyone with a GitHub Account to steal Google service account credentials which were used as a repository secret along with obtaining access to a GITHUB_TOKEN with write access.

Google’s VRP rewarded me with a $7,500 bug bounty for this report as a Software Supply Chain compromise under the “Standard OSS Project” tier.

Actions Injections and Pwn Request vulnerabilities are far from new, and exploiting them isn’t worthy of blog post at this point, but there are some unique aspects to this particular vulnerability that I think there is value in highlighting.

What is unique about this repository is how long it was vulnerable despite Google operating one of the best bug bounty programs in the industry. Most “textbook” Pwn Requests will be reported within days by bug bounty hunters; however, the vulnerability was introduced on Dec 17th, 2020 in this pull request. This means that for over three years no one identified this vulnerability despite a very high chance at a generous bug bounty payment!

Leave a Comment