Bug in “Bug Tracker” Enabled Researcher to Access Google’s Internal List of Critical Bugs
Google, the king of finding security flaws in everyone’s products, apparently left its database of critical vulnerabilities insecure. Alex Birsan, a security researcher, managed to gain access to the company’s internal bug reporting system by making it believe he was an employee. Birsan said that attackers could have also gained access to the database getting the power of unpatched vulnerabilities that they could have potentially exploited to target users.
Birsan managed to gain access to the backend of the bug reporting system by spoofing a corporate Google email address that let him see thousands of bug reports, including critical flaws.
What exactly did Birsan break into?
In his findings, the security researcher wrote that the Issue Tracker (aka Buganizer System) is a tool that Google uses internally to track bugs and feature requests during product development. “It is available outside of Google for use by external public and partner users who need to collaborate with Google teams on specific projects,” he wrote.
In his detailed report, Birsan has shared how he managed to get paid over $15,000 as he kept looking into the powers this access to the Issue Tracker could give him. He started this by trying to get a Google employee account – something you shouldn’t be able to do. Birsan wrote that when he signed up with any other fake email address and failed to confirm the account by clicking on the received link, he was allowed to change the address “without any limitations.” He changed his email address to an internal account firstname.lastname@example.org.
While he didn’t get any direct access to internal network using this fake Google account, he did manage to trick Issue Tracker into assuming he was indeed an employee, giving him privileges to view the bug reports.
Using this access and exploiting other issues, he finally managed to read any and all bug reports. “I only tried viewing a few consecutive IDs, then attacked myself from an unrelated account to confirm the severity of this problem,” Birsan writes.
Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer. Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters.
It does seem like a juicy exploit (especially for a blackhat hacker), but Birsan said that Google is extremely responsive to dangerous vulnerabilities. Google’s quick response and heavy bounties have always encouraged white hat hackers to further research into its products, helping the company secure its services. However, this workaround to gaining access to the Issue Tracker could have been used by someone not looking to get some cash from Google as they could have easily made even more by selling critical flaws to criminals.
“I believe you’d have a pretty good chance of compromising Google accounts if you had a few specific targets and threw every attack at them. But a large scale attack that puts hundreds/thousands of people at risk? Not so much.”
Birsan, however, insists this is not the “Holy Grail of Google bugs” solely because anything serious reported to Google gets fixed ASAP.
“When I first started hunting for this information leak, I assumed it would be the Holy Grail of Google bugs, because it discloses information about every other bug (for example, HackerOne pays a minimum of $10,000 for something similar),” he wrote. “However, after finding it, I quickly realized that the impact would be minimized, because all the dangerous vulnerabilities get neutralized within the hour anyway.”
Google fixed the vulnerabilities reported by Birsan and awarded him a total of $15,600 in bug bounties for three reports. The company in an emailed statement said that it has patched all the reported bugs and “their variants.”