Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Data Protection

Google Bug Tracker Exposed Details of Unpatched Vulnerabilities

A bug bounty hunter has earned more than $15,000 from Google after finding several potentially serious vulnerabilities related to the company’s Issue Tracker, including one that exposed the details of unpatched flaws.

A bug bounty hunter has earned more than $15,000 from Google after finding several potentially serious vulnerabilities related to the company’s Issue Tracker, including one that exposed the details of unpatched flaws.

Google’s Issue Tracker, also known as the “Buganizer,” is a tool used internally by the company to track bugs and feature requests during product development, and more recently it has been used to handle vulnerability reports. While some of the issues tracked via the tool are available to the public, a majority are restricted to Google employees, users who work with the company on specific projects, and the individual who submitted the report. Users can take part in a discussion on a topic by sending an email to an address that specifies the category and ID of the issue.

Alex Birsan analyzed the Google Issue Tracker earlier this month and discovered a total of three vulnerabilities. The most serious of them could have been exploited to access the entire database, including private reports describing security holes.

This was possible due to the presence of a feature that allows users to remove themselves from the CC list of a topic in case they lose interest. The functionality works via a POST request. However, due to an improper access control flaw, the system did not check if the user making the request actually had access to the issue they were trying to unsubscribe from. This led to another component of the system assuming that the user had permission to access the specified thread, and provide every single detail about the vulnerability or bug in the body of the HTTP response.

By going through consecutive issue IDs, an attacker may have been able to find the details of critical vulnerabilities affecting Google products. Birsan pointed out that no rate limiting mechanism had been in place, allowing mass data harvesting.

Google assigned the vulnerability the highest priority rating and addressed it within an hour. The company awarded the researcher $7,500 for responsibly disclosing the security hole.

While this appears to be a critical vulnerability that should have earned a much higher bounty, Birsan noted that thousands of issues are submitted every hour and serious flaws are patched almost immediately, making it difficult for an attacker to find something that they could exploit.

Advertisement. Scroll to continue reading.

“When I first started hunting for this information leak, I assumed it would be the Holy Grail of Google bugs, because it discloses information about every other bug,” Birsan said. “However, after finding it, I quickly realized that the impact would be minimized, because all the dangerous vulnerabilities get neutralized within the hour anyway.”

This was not the only vulnerability discovered by Birsan while analyzing the Google Issue Tracker. While trying to obtain an email address to gain access to restricted threads – addresses are reserved for Google employees – the expert noticed that he could change any new address to if the new address was not confirmed by clicking on a link received via email.

While the account he obtained did not provide access to systems restricted to Google employees, Birsan said it did provide “a lot of extra benefits in other places across the internet.” Google confirmed the issue within hours and awarded the researcher $3,133.7.

Birsan also found a way to obtain information about non-public issues by leveraging the starring functionality – i.e. clicking on the star icon corresponding to an issue to receive email notifications when a new comment is added. By sending out multiple starring requests with the issue ID changed in each request, the white hat hacker noticed that he started receiving emails related to numerous problems reported by users.

However, a closer inspection revealed that the exposed topics were only related to translations and they would not provide any real value to an attacker. Nevertheless, Google classified it as a critical vulnerability and awarded the researcher $5,000.

Bug trackers can store highly valuable information, which is why they are likely to be targeted by malicious actors. The most serious incidents related to bug trackers involve Mozilla and Microsoft, both of which had their systems breached in the past years.

“Bug trackers used within prominent tech companies can be a hugely lucrative target for attackers looking to improve their 0-day capabilities,” Tripwire researcher Craig Young told SecurityWeek. “Access to a private bug tracker gives the attackers lead time toward crafting an exploit as well as for finding related bugs before the public security community has a chance to do so. (Often times a critical bug can indicate a functional area which is under-tested and therefore a good place to look for other bugs or variants.)”

“A clever attacker might also take advantage of unauthorized bug tracker access to delay patch releases by manipulating data in the tracker (e.g. delaying when developers see the report, changing pertinent details so that the bug does not reproduce, or even just closing out tickets as invalid),” Young added.

Related: Expert Earns $5,000 for Google Intranet Vulnerability

Related: Google Pays $10,000 Bug Bounty to High School Student

Related: Google Offers $31,337 for RCE Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.