Google has patched a flaw affecting its Issue Tracker tool that enabled an attacker to expose reports for open vulnerabilities found in its products.
Security researcher Alex Birsan came across the vulnerability while attempting to break the Issue Tracker. Internally known as the Buganizer System, Google uses this utility to track bugs and feature requests during product development. External public and partner users can access the Issue Tracker, but the version they see displays only a small set of the tool’s activity.
Birsan expands upon this limited view:
“By observing numerical IDs assigned to the latest public threads, we can easily estimate how much usage this tool gets internally. There are about 2000–3000 issues per hour being opened during the work hours in Mountain View, and only 0.1% of them are public. Seems like a data leak in this system would have a pretty big impact. Let’s break it!”
Over the course of his work, the security researcher detected three flaws in Issue Tracker. The first enabled him to create a @google.com email address, access (but not authenticate himself using) the corporate Google sign-in page, and enjoy other benefits while surfing the web. Meanwhile, he used the second flaw to receive notifications about internal reports.
The third vulnerability was by far the most serious. He found that users have the option of removing themselves from the CCs list if they don’t want to receive emails. This method, however, suffered from several weaknesses, including improper access control and full issue details provided in response.
Birsan determined he could leverage these weaknesses to view details about every issue in the database:
“I only tried viewing a few consecutive IDs, then attacked myself from an unrelated account to confirm the severity of this problem. Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer. Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters.”
So I found a #bug that let me spy on #Google internal issues, including vulns reported by others. Is $7500 a fair reward for reporting that? pic.twitter.com/uZVIkuPdg4
— Alex Birsan (@alxbrsn) October 10, 2017
The security researcher subsequently reported the flaw to Google, whose team awarded him a $7,500 bounty for disclosing the vulnerability.
Craig Young, a member of Tripwire’s Vulnerability and Exposures Research Team (VERT), notes that attackers can leverage bug trackers to improve their ability to exploit zero-day issues. He therefore feels that companies need to make sure they keep open vulnerability reports safe against unauthorized actors:
“A clever attacker might also take advantage of unauthorized bug tracker access to delay patch releases by manipulating data in the tracker, e.g. delaying when developers see the report, changing pertinent details so that the bug does not reproduce or even just closing out tickets as invalid. Organizations handling sensitive vulnerability content need to keep this data as tightly restricted as possible without creating an undue burden on development and testing teams. One possibility is to create a separate bug tracker for security vs. non-security reports thereby making it possible to have more granular access controls and monitoring on the security reports.”
News of these flaws comes a few weeks after Microsoft disclosed a security incident where a hacking group gained access to an internal database the tech giant uses to track vulnerabilities.