Google did not trust him at first. Then they appreciated him
The problem I found with Google does not pose a threat to the end user.
He is one of the few Czechs to join the Google Hall of Fame. Vít Šesták, a master's student in computer science, discovered a security flaw in the Google Play application. The company not only appreciated his warning but also rewarded monetarily which he wants to invest in his own project.
How did you actually get into the Google Hall of Fame?
It started by accident when I bought a tablet for a work project. While using it, I noticed suspicious things with the payments, which I began to investigate further. I found this to be a security vulnerability.
What did you do with it?
First, I considered what could be done about it, and began to examine the problem in more detail to verify that my suspicion of an error was correct. When I confirmed that they had not dealt with the situation, I wrote to Google.
What was the reaction?
Let's say at first there was a bit of a communication problem. I reported it a different way than they wanted. So when I reported the error a second time, I summarized it more briefly. Their first reaction, however was that they saw no problem with that, so I had to go even further to explain why a certain behavior did not seem safe to me.
So at first they did not believe you.
You could say that.
Once they accepted your comments, did you continue to work with them?
They communicated with me, sent me information from time to time with whom the security team was resolving the reported error. Though they did not tell me the details of the solution.
So what exactly was the mistake you discovered?
I do not want to talk about it much, because it is not completely fixed yet.
How do you know it has not been fixed on Google Play yet?
Firstly, I check it from time to time and they also promised to keep me informed.
So it is probably not a very dangerous mistake, is it?
It could have been noticed by a person without IT education, but most of the time it does not occur to them to examine it in more detail. For example, lay people may notice a security flaw that had affected two Czech banks in the past, when in internet banking one of the security elements was sending a verification SMS message before making a payment. However, some banks made it possible to change the telephone number in the internet banking without any verification, so this additional protection was very easy to circumvent. The problem I found at Google, though is different and does not pose a threat to the end user who follows basic security habits.
So only the programmers missed something.
The discovered security loophole is not a problem of a textbook programming error; it can be expected that Google will usually have those treated. In my opinion, this was more of an organizational problem, because the responsibility for the error found can hardly be assigned to a specific team.
"I have noticed mistakes in the internet banking, but it never occurred to me that banks are so stupid."
Do you know anyone else who found and pointed out a similar error?
Not with Google, but I know people who have found errors of varying gravity in other systems. For example, a person who revealed a problem with Czech banks, which I have already described. Interestingly, it occurred to me at the time too, but I said to myself that banks cannot be so stupid, and I did not investigate it further.
You study computer science, so do you focus on the security of information systems?
We have a freer study regime at the Faculty of Informatics, so one can choose a field and then study a lot of things in other areas within the elective subjects. My field of study is parallel and distributed systems, but I also have subjects in the field of security. There are some things, though that one does not learn in the textbook or at school and must involve one's own invention.
What exactly are parallel and distributed systems?
If you have one computer and you want to calculate something complex, it can take a thousand years. Sometimes it is more advantageous to buy or rent a thousand computers and calculate the task in one year. Parallel and distributed systems are therefore about how to appropriately distribute the calculation between multiple computers or within one computer on multiple processor cores, or even use a graphics card. So, it is about how to use a multi-core processor or set of computers effectively.
In addition to the Faculty of Informatics, you also applied to the Faculty of Economics and Administration. What led you to this?
I have been interested in various technical things since I was a child, and later I found out that I enjoy software the most. While still on high school I once went to the Night of Scientists, of course to the Faculty of Informatics, where economists were also at the time. I went to see them too, and was intrigued. Even though I never considered not studying computer science, I was thinking about further studies. I enrolled into finances at the Faculty of Economics and Administration, but my studies are currently suspended.
Can the fields you study be connected in any way?
Lately I have been thinking about what to focus on. Finance is connected to my field of informatics, for example Bitcoin is basically a distributed system. Today's banks and stock exchanges would look completely different without IT. I have recently received a job offer in the field of security, but it would probably not be possible to manage it during my studies. In addition, I started my own project and I hope it will work out.
What is your own project about?
Typing on today's keyboards, including that on mobile phones, is based on the shape of a mechanical typewriter. However, it was not designed to be used when you hold the device in your hands. So, I am developing something that is better suited for today’s situations and demands on writing extensively on tablets or mobile phones. I am working with other people on this, and thanks to the discovery of the mistake in Google, I also got some money that I want to invest in the project.
You have quite a lot of work, do you ever make time for fun?
I do not just sit at the computer; in the summer I like to go to camps, rafting or hiking. And I like to go running.