Google Vulnerability Gives Outsiders Access to Internal Bug Tracker

An internal website Google uses to track bugs and feature requests throughout the product development cycle was accessible by external users, which could allow hackers to see a list of known, unpatched vulnerabilities.

A Medium post by security researcher Alex Birsan today said the vulnerability, and two others, were patched promptly by Google when he discovered them. In his blog post, Birsan details the steps he took to find the vulnerabilities in the Google Issue Tracker, which paid out $15,600 in bug bounties.

As companies grapple with finding the right cybersecurity talent, bug bounty programs allow them to find vulnerabilities at a pace that matches the rate that security threats pop up. Google has a well-developed bug bounty program while companies like Synack bring a similar crowdsourced security approach to companies who may not have the internal capacity to manage payout negotiations.

External users are given access to the Issue Tracker (internally referred to at Google as the Buganizer System) when they are collaborating with Google users on specific projects, Birsan said, but their access is fairly restricted.

According to Birsan, “When you visit the Issue Tracker as an external user, most of its functionality is stripped away, leaving you with extremely limited privileges. If you want to see all the cool stuff Google employees can do, you can look for API endpoints in the javascript files. Some of these functions are disabled completely; others are simply hidden in the interface.”

Exploiting a method that allowed external users to remove themselves for the CCs list if they no longer want to be sent updates about issues, Birsan was able to see details about every issue in the database – even those he wasn’t supposed to have access to in the first place as an external user.

“I only tried viewing a few consecutive IDs, then attacked myself from an unrelated account to confirm the severity of this problem. Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer. Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters,” Birsan said.