XS-Search Flaw Found in Google’s Issue Tracker

A security flaw recently discovered in Google’s Monorail open-source issue tracker could be exploited to perform a Cross-Site Search (XS-Search) attack, a security researcher says.  

Monorail, the issue tracking tool for Chromium-related projects, is used by PDFium, Gerrit, V8, and even by Google’s Project Zero, the well-known zero-day bug-finding team. The recently discovered flaw, researcher Luan Herrera claims, could also lead to information leaks. 

Herrera discovered that Monorail, which includes support for downloading the results of a certain search query as a CSV, was vulnerable to a Cross-Site Request Forgery (CSRF) attack. Thus, one could force a user to download the results of a search query when accessing a malicious link.

“If a member of the Google security team or a high profile bug reporter were to access this link, they would download a CSV containing all undisclosed issues they have access to,” the security researcher explains. 

He also discovered that the columns displayed in a search result could be duplicated, which could allow an attacker to arbitrarily increase the length of the generated CSV.

By combining these two flaws, an attacker could perform an XS-Search attack, which allows them to perform complex search queries and inflate the response of a search query.

“The second point is particularly important. If the response of a search query matches a bug, we can make the CSV significantly bigger than a query that doesn’t,” Herrera says. 

The difference in response length would also allow an attacker to calculate the time each request takes to complete, deduce if results were returned, and “achieve the ability to ask cross-origin boolean questions,” the researcher argues. 

Basically, one would be able to, for example, determine whether there are bugs matching specific folders. While many Chromium bug reports indicate the file path and line number where the issue is found, an XS-Search attack is easy to perform, given the public folder structure of Chromium and Monorail treating slashes as words delimiters.

The security researcher, who also provided exact details on how the issue can be exploited, says he discovered that the attack can be performed in three different places. 

This resulted in three different CVE numbers, namely CVE-2018–10099, CVE-2018–19334 and CVE-2018–19335, and in Google awarding Herrera a total of more than $9,400 in bug bounties (roughly $3133 for each vulnerability). 

Related: Google Says Social Network Bug Exposed Private Data

Related: Google Bug Bounty Program Now Covers Platform Abuse