A private website Google used to track bugs in its own products was discovered to have its own set of flaws that could have exposed sensitive vulnerability reports.
By accessing private information stored in Google's Issue Tracker, also known as the Buganizer, malicious actors could perhaps have compromised other Google products and attacked their users, according to researcher Alex Birsan, who published his findings this week on Medium.
Google has already patched all three vulnerabilities disclosed by Birsan, who reportedly earned £11,750 in bug bounty rewards for his efforts.
The Issue Tracker website is primarily used by Google's internal employees to track bugs as well as feature requests during product development. Ordinarily, external users, including Google partners and members of the public, can only access a small component of the website. However, the three vulnerabilities Birsan uncovered can be exploited to give external users heightened privileges and deeper access.
The most serious of the three vulnerabilities consists of multiple errors in a POST request that users can submit If they no longer want to receive CC'd emails about a specific product issue. While researching this process, Birsan determined that the Buganizer did not explicitly check to see if the person sending the request actually had access to the alerts in the first place. And secondly, the system would reply in the HTTP response body with full details surrounding the issue in question.
Consequently, Birsan realised he could repeat this process, incrementing through various Issue ID numbers, in order to learn about all sorts of Google products and their flaws.
"Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer," Birsan explains in his report. "Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn't have triggered any rate limiters."
In an interview via Twitter with SC Media, Birsan speculated what damage could have been inflicted had a malicious attacker, instead of a white-hat researcher, discovered this vulnerability:
"Realistically speaking, exploiting this bug gives you access to every vulnerability report anyone sends to Google until they catch on to the fact that you're spying on them. That could be anywhere between a few hours and a few months," said Birsan, using a quote he previously supplied to another media outlet.
Birsan said that had an exploit gone unnoticed for an extended period, it could have allows attackers to learn of "vulnerabilities you could use to steal information from other people's Google accounts," "vulnerabilities you could use to take over other Google accounts," and "very rarely, vulnerabilities you could use to gain access to Google's internal network."
“Bug trackers used within prominent tech companies can be a hugely lucrative target for attackers looking to improve their zero-day capabilities," said Craig Young, computer security researcher for Tripwire's Vulnerability and Exposures Research Team (VERT), in emailed comments. "Access to a private bug tracker gives the attackers lead time toward crafting an exploit as well as for finding related bugs before the public security community has a chance to do so.
“A clever attacker might also take advantage of unauthorised bug tracker access to delay patch releases by manipulating data in the tracker," Young added.
A second vulnerability also was found in the Issue Tracker's "starring" function, which allows users to request email notifications for issues they're interested in following. Birsan learned that this particular capability did not properly apply access control rules to external users who were not authorised to review these vulnerabilities.
Testing this flaw, Birsan requested notifications for a few thousand issue ID Numbers, and soon found his inbox flooded with internal threads discussing various vulnerabilities. (However, the content of the particular threads that Birsan reviewed turned out not to be especially sensitive, as they related language translation issues.)
Finally, Birsan also found another vulnerability in the Buganizer that allowed him to create a Google employee account, despite being an external user. In his report, Birsan said that this account did not grant his access to the Google corporate login page, but it did give him various "extra benefits," including the ability to order a ride through Google's Guide transportation service.