Flaw in Google Bug Tracker Exposed Reports About Unpatched Vulnerabilities

Google’s Issue Tracker contained until recently a vulnerability that would allow an external party access to any unpatched bug listed and described in the database.

Google’s Issue Tracker, also known internally as the “Buganizer,” contained until recently a vulnerability that would allow an external party access to any unpatched bug listed and described in the database.

Alex Birsan, a software developer and hobbyist bug-hunter, collected more than $15,000 in bounties for finding this bug and two other unrelated flaws in the Issue Tracker. The most critical of the three vulnerabilities allowed him to manipulate a request to the system that would elevate his privileges and provide him access to every detail about a particular vulnerability.

“The [Issue Tracker] system is open to everyone with a Google account. However, the vast majority of the issues hosted on it can only be viewed by Google employees,” Birsan said. “Some of them may only be available to certain teams, too. I found a bug that could have let me view each and every one of them.”

Birsan wrote today in a Medium post that external visitors to the Issue Tracker have limited privileges compared to those inside Google resolving bugs. Birsan said he found a JavaScript method that allows an individual to remove themselves from a CC list—via a POST request— that could be abused to learn the full details of a bug. Birsan said he could have accessed the entire Issue Tracker.

“I don’t know exactly what else was on there, because I kept my behavior ethical during testing,” he said. “I only viewed enough information to confirm I had the extra privileges.”

Birsan said he provided the system a few consecutive tracking numbers to confirm the issue.

“Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer,” he wrote, adding that Google’s security team disabled the endpoint he was accessing within an hour. “Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters.”

Birsan said there would be limitations keeping an attacker with similar access from turning the exposed information into a working exploit.

“It depends entirely on what kind of exploits would have been reported,” Birsan said. “Generally speaking, great technical knowledge and the ability to write post-exploitation scripts quickly help a lot in situations like this, where you have an extremely tight deadline to attack before the bug is fixed.”

Birsan’s disclosure today comes shortly after a similar incident report involving Microsoft’s internal bug-tracking system. A Reuters report published Oct. 17 described a 2013 attack against Microsoft’s system that was corroborated by five former employees.

“Bug trackers used within prominent tech companies can be a hugely lucrative target for attackers looking to improve their 0-day capabilities. Access to a private bug tracker gives the attackers lead time toward crafting an exploit as well as for finding related bugs before the public security community has a chance to do so,” said Craig Young, a security researcher with Tripwire. “A clever attacker might also take advantage of unauthorized bug tracker access to delay patch releases by manipulating data in the tracker. (e.g. Delaying when developers see the report, changing pertinent details so that the bug does not reproduce, or even just closing out tickets as invalid).”

Suggested articles