Bug in “Bug Tracker” Enabled Researcher to Access Google’s Internal List of Critical Bugs

Google, a aristocrat of anticipating confidence flaws in everyone’s products, apparently left a database of vicious vulnerabilities insecure. Alex Birsan, a confidence researcher, managed to benefit entrance to a company’s inner bug stating complement by creation it trust he was an employee. Birsan pronounced that enemy could have also gained entrance to a database removing a energy of unpatched vulnerabilities that they could have potentially exploited to aim users.

Birsan managed to benefit entrance to a backend of a bug stating complement by spoofing a corporate Google email residence that let him see thousands of bug reports, including vicious flaws.

Related UK Blames North Korea for WannaCry –  Says “Tit for Tat” Will Pose UK Systems to Serious Risk

What accurately did Birsan mangle into?

In his findings, a confidence researcher wrote that the Issue Tracker (aka Buganizer System) is a apparatus that Google uses internally to lane bugs and underline requests during product development. “It is accessible outward of Google for use by outmost open and partner users who need to combine with Google teams on specific projects,” he wrote. 

In his minute report, Birsan has common how he managed to get paid over $15,000 as he kept looking into a powers this entrance to a Issue Tracker could give him. He started this by perplexing to get a Google worker comment – something we shouldn’t be means to do. Birsan wrote that when he sealed adult with any other feign email residence and unsuccessful to endorse a comment by clicking on a perceived link, he was authorised to change a residence “without any limitations.” He altered his email residence to an inner comment buganizer-system+123123+67111111@google.com.

Related Panama Papers 2.0: Law Firm Hack Puts a Wealthiest during Risk of Being Exposed

While he didn’t get any approach entrance to inner network regulating this feign Google account, he did conduct to pretence Issue Tracker into presumption he was indeed an employee, giving him privileges to perspective a bug reports.

Using this entrance and exploiting other issues, he finally managed to review any and all bug reports. “I usually attempted observation a few uninterrupted IDs, afterwards pounded myself from an separate comment to endorse a astringency of this problem,” Birsan writes.

Yes, we could see sum about disadvantage reports, along with all else hosted on a Buganizer. Even worse, we could exfiltrate information about mixed tickets in a singular request, so monitoring all a inner activity in genuine time substantially wouldn’t have triggered any rate limiters.

It does seem like a luscious feat (especially for a blackhat hacker), though Birsan pronounced that Google is intensely manageable to dangerous vulnerabilities. Google’s discerning response and complicated bounties have always speedy white shawl hackers to serve investigate into a products, assisting a association secure a services. However, this workaround to gaining entrance to a Issue Tracker could have been used by someone not looking to get some money from Google as they could have simply done even some-more by offered vicious flaws to criminals.

“I trust you’d have a flattering good possibility of compromising Google accounts if we had a few specific targets and threw each conflict during them. But a vast scale conflict that puts hundreds/thousands of people during risk? Not so much.”

Birsan, however, insists this is not a “Holy Grail of Google bugs” only since anything critical reported to Google gets bound ASAP.

“When we initial started sport for this information leak, we insincere it would be a Holy Grail of Google bugs, since it discloses information about each other bug (for example, HackerOne pays a smallest of $10,000 for something similar),” he wrote. “However, after anticipating it, we fast satisfied that a impact would be minimized, since all a dangerous vulnerabilities get neutralized within a hour anyway.”

Google bound a vulnerabilities reported by Birsan and awarded him a sum of $15,600 in bug bounties for 3 reports. The association in an emailed matter pronounced that it has patched all a reported bugs and “their variants.”