If I signed up with any other fake email address, but failed to confirm the account by clicking on a link received by email, I was allowed to change my email address without any limitations. Using this method, I changed the email of a fresh Google account to [email protected]Although the deceptive email address wasn't enough to let Birsan past Google's corporate login page, it did grant him a number of other benefits - including what appeared to be access to Google's corporate taxi service, as well as deeper access into the company's bug tracking system. In addition, the researcher found a way to remove the limited functionality normally in place for outside developers accessing Google's Issue Tracker. Bugs in the system could have helped unauthorised parties access details of every vulnerability report sent to Google, opening the door for exploitation before a fix is made available. As Birsan explains, the consequences of a data breach could have been serious:
"There are about 2000–3000 issues per hour being opened during the work hours in Mountain View, and only 0.1% of them are public. Seems like a data leak in this system would have a pretty big impact."Thankfully, Birsan is one of the good guys - and informed Google responsibly of the vulnerabilities so that they could be patched promptly. For his efforts he was awarded a total of $15,600 in bounties. But you can't help but think that intelligence agencies and organised criminals would probably have been prepared to pay far more for details of bugs in Google's system like this, especially when you consider the value of the unpatched vulnerabilities and exploit code that could have spilled out as a result. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.