A security researcher uncovered several flaws in Google's Issue Tracker that exposed data regarding unpatched vulnerabilities...
listed in the database.
Google describes the Issue Tracker, more commonly known as the Buganizer, as a tool used internally to track bugs and feature requests in Google products. However, Alex Birsan, software developer and researcher, found three flaws in the Buganizer, the most severe of which allowed an elevation of privileges and exposed data on unpatched vulnerabilities.
The less critical issues Birsan found allowed him to essentially use a Buganizer issue ID as an official @Google.com email address -- although he could not use this email to log in to Google systems -- and to get notifications for internal tickets to which he shouldn't have had access. Those two flaws alone took Birsan about 16 hours of work and netted him a little more than $8,000 in bug bounty rewards, but then came the major issue.
Revealing Buganizer data
Birsan found that Google's Buganizer had a few issues in handling POST requests through the API.
"There was no explicit check that the current user actually had access to the issues specified in issueIds before attempting to perform the given action," Birsan wrote. "If no errors occurred during the action, another part of the system assumed that the user had proper permissions. Thus, every single detail about the given issue ID would be returned in the HTTP response body."
Birsan claimed he checked the issue a few times and "could see details about vulnerability reports, along with everything else hosted on the Buganizer. Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn't have triggered any rate limiters."
Finding this flaw only took Birsan one hour, but it netted him $7,500 in reward. Birsan said he initially expected more because he thought the Buganizer issue was more severe, but he said the "impact would be minimized, because all the dangerous vulnerabilities get neutralized within the hour anyway."
Learn about the Google Play bug bounty hunting for Android vulnerabilities.
Find out about the best bug tracking software available for enterprise.
Get info on the application testing tools your enterprise needs.