The bug allowed the researcher to see the most sensitive vulnerabilities in Google’s services.
A series of flaws in Google’s internal bug tracker let a security researcher gain access to some of the company’s most critical and dangerous vulnerabilities.
The company’s internal bug reporting system, known as the Issue Tracker (or the “Buganizer”), is used by security researchers and bug finders to submit issues, problems, and security vulnerabilities with Google’s software, services and products.
Most ordinary users have very little access to the bug tracker. But a security researcher found that by spoofing a Google corporate email address, he was able to gain access to the back-end of the system, and to thousands of bug reports — some of them marked as “priority zero,” the most severe and dangerous vulnerabilities, with which a hacker could do untold damage.
Alex Birsan, who discovered the flaws, told ZDNet that an attacker could have discovered and exploited submitted vulnerabilities to target and potentially compromise Google accounts.
Worse, an attacker could’ve used a vulnerability to infiltrate Google’s internal network.
Birsan explained in a write-up of his findings that he created a Gmail account which, prior to verifying the new account by email, would let a user change their email address to any email address, including Google corporate accounts.
Although Birsan’s newly-created fake Google account wouldn’t give him direct access to the company’s network, it was enough to trick the Issue Tracker into thinking he was an employee, giving him elevated privileges to view and interact with bug reports, such as receive notifications and updates on issues.
From there, he was able to send altered requests to the Issue Tracker server, letting him read any bug he wanted — including the most sensitive vulnerabilities — because of a failure to properly validate the logged-in user’s permissions against each report.
Or, as Birsan described it, the “holy grail of Google bugs.”
“Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters,” he explained.
After he reported the bugs, his access was revoked and the vulnerability fixed within the hour.
Birsan didn’t underestimate the severity of the vulnerabilities, but hedged his findings with a key caveat. The bigger the vulnerability, the quicker it gets fixed by Google, he explained. “So even if you get lucky and catch a good one as soon as it’s reported, you still have to have a plan for what you do with it.”
“That being said, I believe you’d have a pretty good chance of compromising Google accounts if you had a few specific targets and threw every attack at them,” he said.
But a large-scale attack that puts hundreds of thousands of accounts at risk was less likely, he said. “All in all, it depends entirely on what other people report while you’re eavesdropping,” he added.
Given that thousands of internal issues were added each hour, he said, “Who knows what kind of juicy information could be found in there?”
These bug databases are ripe targets for nation-state attackers, who want to target major technology companies. Earlier this month, Reuters reported that Microsoft’s secret bug database, which included flaws for Windows, was breached in 2013.
In all, Birsan was awarded a little over $15,600 in bug bounties from Google for the three bugs.
He was also given $3,133 as an additional grant to continue research on vulnerabilities with the Issue Tracker.
When reached, a Google spokesperson said: “We appreciate Alex’s report. We’ve patched the vulnerabilities that he reported, as well as their variants.”