Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Google Bug Tracker Exposed Details of Unpatched Vulnerabilities

A bug bounty hunter has earned more than $15,000 from Google after finding several potentially serious vulnerabilities related to the company’s Issue Tracker, including one that exposed the details of unpatched flaws.

A bug bounty hunter has earned more than $15,000 from Google after finding several potentially serious vulnerabilities related to the company’s Issue Tracker, including one that exposed the details of unpatched flaws.

Google’s Issue Tracker, also known as the “Buganizer,” is a tool used internally by the company to track bugs and feature requests during product development, and more recently it has been used to handle vulnerability reports. While some of the issues tracked via the tool are available to the public, a majority are restricted to Google employees, users who work with the company on specific projects, and the individual who submitted the report. Users can take part in a discussion on a topic by sending an email to an address that specifies the category and ID of the issue.

Alex Birsan analyzed the Google Issue Tracker earlier this month and discovered a total of three vulnerabilities. The most serious of them could have been exploited to access the entire database, including private reports describing security holes.

This was possible due to the presence of a feature that allows users to remove themselves from the CC list of a topic in case they lose interest. The functionality works via a POST request. However, due to an improper access control flaw, the system did not check if the user making the request actually had access to the issue they were trying to unsubscribe from. This led to another component of the system assuming that the user had permission to access the specified thread, and provide every single detail about the vulnerability or bug in the body of the HTTP response.

By going through consecutive issue IDs, an attacker may have been able to find the details of critical vulnerabilities affecting Google products. Birsan pointed out that no rate limiting mechanism had been in place, allowing mass data harvesting.

Google assigned the vulnerability the highest priority rating and addressed it within an hour. The company awarded the researcher $7,500 for responsibly disclosing the security hole.

While this appears to be a critical vulnerability that should have earned a much higher bounty, Birsan noted that thousands of issues are submitted every hour and serious flaws are patched almost immediately, making it difficult for an attacker to find something that they could exploit.

“When I first started hunting for this information leak, I assumed it would be the Holy Grail of Google bugs, because it discloses information about every other bug,” Birsan said. “However, after finding it, I quickly realized that the impact would be minimized, because all the dangerous vulnerabilities get neutralized within the hour anyway.”

Advertisement. Scroll to continue reading.

This was not the only vulnerability discovered by Birsan while analyzing the Google Issue Tracker. While trying to obtain an @google.com email address to gain access to restricted threads – @google.com addresses are reserved for Google employees – the expert noticed that he could change any new @gmail.com address to @google.com if the new address was not confirmed by clicking on a link received via email.

While the @google.com account he obtained did not provide access to systems restricted to Google employees, Birsan said it did provide “a lot of extra benefits in other places across the internet.” Google confirmed the issue within hours and awarded the researcher $3,133.7.

Birsan also found a way to obtain information about non-public issues by leveraging the starring functionality – i.e. clicking on the star icon corresponding to an issue to receive email notifications when a new comment is added. By sending out multiple starring requests with the issue ID changed in each request, the white hat hacker noticed that he started receiving emails related to numerous problems reported by users.

However, a closer inspection revealed that the exposed topics were only related to translations and they would not provide any real value to an attacker. Nevertheless, Google classified it as a critical vulnerability and awarded the researcher $5,000.

Bug trackers can store highly valuable information, which is why they are likely to be targeted by malicious actors. The most serious incidents related to bug trackers involve Mozilla and Microsoft, both of which had their systems breached in the past years.

“Bug trackers used within prominent tech companies can be a hugely lucrative target for attackers looking to improve their 0-day capabilities,” Tripwire researcher Craig Young told SecurityWeek. “Access to a private bug tracker gives the attackers lead time toward crafting an exploit as well as for finding related bugs before the public security community has a chance to do so. (Often times a critical bug can indicate a functional area which is under-tested and therefore a good place to look for other bugs or variants.)”

“A clever attacker might also take advantage of unauthorized bug tracker access to delay patch releases by manipulating data in the tracker (e.g. delaying when developers see the report, changing pertinent details so that the bug does not reproduce, or even just closing out tickets as invalid),” Young added.

Related: Expert Earns $5,000 for Google Intranet Vulnerability

Related: Google Pays $10,000 Bug Bounty to High School Student

Related: Google Offers $31,337 for RCE Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...