Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

XS-Search Flaw Found in Google’s Issue Tracker

A security flaw recently discovered in Google’s Monorail open-source issue tracker could be exploited to perform a Cross-Site Search (XS-Search) attack, a security researcher says.  

A security flaw recently discovered in Google’s Monorail open-source issue tracker could be exploited to perform a Cross-Site Search (XS-Search) attack, a security researcher says.  

Monorail, the issue tracking tool for Chromium-related projects, is used by PDFium, Gerrit, V8, and even by Google’s Project Zero, the well-known zero-day bug-finding team. The recently discovered flaw, researcher Luan Herrera claims, could also lead to information leaks. 

Herrera discovered that Monorail, which includes support for downloading the results of a certain search query as a CSV, was vulnerable to a Cross-Site Request Forgery (CSRF) attack. Thus, one could force a user to download the results of a search query when accessing a malicious link.

“If a member of the Google security team or a high profile bug reporter were to access this link, they would download a CSV containing all undisclosed issues they have access to,” the security researcher explains

He also discovered that the columns displayed in a search result could be duplicated, which could allow an attacker to arbitrarily increase the length of the generated CSV.

By combining these two flaws, an attacker could perform an XS-Search attack, which allows them to perform complex search queries and inflate the response of a search query.

“The second point is particularly important. If the response of a search query matches a bug, we can make the CSV significantly bigger than a query that doesn’t,” Herrera says. 

The difference in response length would also allow an attacker to calculate the time each request takes to complete, deduce if results were returned, and “achieve the ability to ask cross-origin boolean questions,” the researcher argues. 

Basically, one would be able to, for example, determine whether there are bugs matching specific folders. While many Chromium bug reports indicate the file path and line number where the issue is found, an XS-Search attack is easy to perform, given the public folder structure of Chromium and Monorail treating slashes as words delimiters.

The security researcher, who also provided exact details on how the issue can be exploited, says he discovered that the attack can be performed in three different places. 

This resulted in three different CVE numbers, namely CVE-2018–10099, CVE-2018–19334 and CVE-2018–19335, and in Google awarding Herrera a total of more than $9,400 in bug bounties (roughly $3133 for each vulnerability). 

Related: Google Says Social Network Bug Exposed Private Data

Related: Google Bug Bounty Program Now Covers Platform Abuse

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.