Don't Be Evil?

&gt; You don&#x27;t need to treat me like the bad guy when I&#x27;m clearly not exploiting you.<p>I&#x27;m not seeing where Google treated him like a &quot;bad guy&quot;? It sounds like he was expecting Google to sing his high praises, which of course didn&#x27;t happen. The bug bounty payout also has qualifications that the author didn&#x27;t come remotely close to meeting ( <a href="http://www.google.com/about/appsecurity/reward-program/" rel="nofollow">http:&#x2F;&#x2F;www.google.com&#x2F;about&#x2F;appsecurity&#x2F;reward-program&#x2F;</a> ), so I have no idea why he expected he should get paid.<p>By his own admission he doesn&#x27;t know how the attacker got access to his account, nor where the $20k came from. So what vulnerability did he find? I guess Google&#x27;s failure here was to protect the author from his own lax security.

I failed to follow how author introduced &quot;attacker&quot; to this story, when there are no visible suggestions, only his own old credit cards on file, to which he didn&#x27;t incur any charges and all that must have happened due to routing mistake crediting someone&#x27;s funds to his account. Something which must have been rectified very quickly even without author noticing.

<i>Obviously someone has an exploit of adwords that can add credits to accounts without paying for it, and it appears to involve closing and re-opening accounts with expired credit cards.</i><p>This point is so obvious that he doesn&#x27;t bother explaining any further. There was a billing mistake in his account, so therefore there must be an exploit of some kind.<p>There are other explanations for a billing mistake, but apparently they don&#x27;t bother consideration.

I disagree with some people here. If this _was_ an exploit that had an attacker (as opposed to the various other explanations people are putting forward) then reporting it to Google is obviously valuable to them, even if he is unaware of how to replicate the exploit. He would<p>a) make them aware of the problem b) give them enough of a start to work out what is happening.<p>So I&#x27;d suggest it is worthy of being rewarded if not by the exact rules of the program, at least by the spirit of it.<p>However, I seriously doubt this is really what happened - he makes a lot of leaps without any corroborating evidence. I am very sure this isn&#x27;t Google trying to &#x27;screw&#x27; the guy.

You reported the results of somebody exploiting your account, not an exploit. Why would they reward a simple bug report?

:C<p>Can we please downvote this into oblivion? This guy thinks &quot;Reporting a vulerability&quot; is synonymous with reporting that his account was hacked.<p>Vulnerability rewards programs incentivize security researchers to properly disclose new attack techniques.<p>They do not exist to reward the reporting of account compromises.<p>r-shirt, why would this be useful to the hackernews community?

I had a little trouble following that. Are you sure the bug you reported is actually related to the $20,000 credit and not just a separate UI issue?<p>I&#x27;d be very surprised if allowing you to log in with an expired card somehow also allowed you to make unlimited successful payments against that expired card. It just doesn&#x27;t really make sense. Seems like there is perhaps another bug or something else altogether that is responsible for the $20,000.

Allowing purchases with an expired credit card isn&#x27;t really a bug, it&#x27;s sometimes a &quot;feature&quot;. If it was valid when the credit card was added to the account, and if a payment were made from it before it expired, it could have subsequently been labelled as a recurring payment, and then the credit card companies will often allow payments to go through, even after it expired.

Guy had no idea what the attack -- if any -- was. All he noticed was odd activity on his account, which as easily could have been human error at Google.<p>However as to his point that this is a massive imperilment of Google : Not really. Google ads run on a bid system, so introducing fake money doesn&#x27;t actually reduce the amount of money Google actually makes, and may actually increase it. I get $100+ AdWord credit offers from Google literally monthly, because the effect of my credit is only that I push up the cost for everyone else. Obviously there are limits to this (when advertisers simply bow up) but unless the fraud was really widespread it wouldn&#x27;t damage Google.

It would be interesting to see statistics on exploits sold in the black market lately, since it seems like these companies (Facebook, Google) are doing a thoroughly good job at pushing independent researchers to do just that. I&#x27;m aware that the linked author wasn&#x27;t a security researcher intentionally uncovering a flaw, but the outcome still sends a similar message.

He found a vulnerability, so &quot;Pay him... Pay that man his money.&quot;