Google has paid out over $15,000 in bounties to a security researcher who, ironically enough, tracked down some serious vulnerabilities in the company's vulnerability tracker - including the ability to view the full details of issues which had not yet been made public.
Security researcher Alex Birsan has written of his experience with the Google Issue Tracker, a bug-tracking and triage system which is used to track defects in Google and related software - including security vulnerabilities. Although the issue tracker is open to all - allowing users of Google software to report issues to the company - only internal users have full access, including to bug reports which include yet-to-be-patched security vulnerabilities, known in the industry as 'zero-day' issues.
Birstan, however, discovered a trio of vulnerabilities in the tool, beginning a technique for partially spoofing a Google employee email account, subscribing to notifications on non-public issues, and finally the big one: the required format of an HTTP POST request for removal from notifications, which responded with full issue details in the body of the response. 'Obviously, I could now see details about every issue in the database by simply replacing issueIds in the request above,' Birsan writes of his discovery. 'I only tried viewing a few consecutive IDs, then attacked myself from an unrelated account to confirm the severity of this problem. Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer. Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters.'
In total, Birsan spent 17 hours investigating the issue tracking system and walked away with $15,600 (around £11,800) in bounties for his trouble. Google, for its part, has resolved the security issues.
February 27 2020 | 11:00