A security researcher has identified bugs in Google’s bug tracker platform Issue Tracker. It is indeed ironic that the software intended to deal with unpatched vulnerabilities and bugs during product development itself is loaded with bugs through which the researcher managed to access sensitive internal systems of Google.
Issue Tracker program is to be used by external public and partner users who work with Google’s team on different projects. This program gives access control permissions to users so that they could find, create, view and modify issues for any project.
The researcher Alex Birsan discovered that the Issue Tracker had several vulnerabilities out of which the most critical was the one allowing him to access the company’s internal systems, which were quite sensitive. If this particular vulnerability is exploited, anyone can spy upon Google and access every single vulnerability report sent to Google by users. It would be quite difficult for Google to detect that someone is spying on them.
In a detailed blog post, Birsan explained how he identified the bugs in Issue Tracker. He wrote that by examining the way Issue Tracker handled the communication about a bug he reported, he became suspicious and the further probe revealed that he needed an @google.com email ID for accessing the internal bug database. The address although was useless at the gate but provided him access to other areas and even let him explore Google’s GRide corporate car service.
Then he used a standard method to check the bugs closely, which was that he found bugs in the tracker so that it notifies him about the progress of the software, but it was identified that the software worked only on “translation related conversations.”
Afterwards, Birsan tested the API of Issue Tracker and managed to find a way to receive all details about a bug by requesting it to remove an email ID from an issue thread.
It is worth noting that Google has patched the bugs identified by Birsan and that’s why it is not possible that someone could exploit them. Reportedly, Birsan received a cash reward of $3,133.7, $5,000, and $7,500 for discovering the bugs.
Google’s spokesperson confirmed that Birsan did identify vulnerabilities in Issue Tracker, which have been patched now.
“We appreciate Alex’s report. We’ve patched the vulnerabilities that he reported, as well as their variants,” stated Google’s spokesperson.