A researcher has uncovered security holes in Google’s bug-tracking database that could have potentially resulted in malicious hackers accessing sensitive information, including details of ways to exploit unpatched vulnerabilities in Google products.
Researcher Alex Birsan has described how he managed to trick Google Issue Tracker (known internally to Google staff as Buganizer) into granting him access to much more information than would normally be allowed to external parties.
And the crux of the attack? Birsan found a way to trick Google into registering a @google.com account for him, something normally reserved for the company’s employees.
Normally Gmail prevents someone from creating an account with a @google.com address, but Birsan found a workaround:
If I signed up with any other fake email address, but failed to confirm the account by clicking on a link received by email, I was allowed to change my email address without any limitations. Using this method, I changed the email of a fresh Google account to firstname.lastname@example.org.
Although the deceptive email address wasn’t enough to let Birsan past Google’s corporate login page, it did grant him a number of other benefits – including what appeared to be access to Google’s corporate taxi service, as well as deeper access into the company’s bug tracking system.
In addition, the researcher found a way to remove the limited functionality normally in place for outside developers accessing Google’s Issue Tracker.
Bugs in the system could have helped unauthorised parties access details of every vulnerability report sent to Google, opening the door for exploitation before a fix is made available.
As Birsan explains, the consequences of a data breach could have been serious:
“There are about 2000–3000 issues per hour being opened during the work hours in Mountain View, and only 0.1% of them are public. Seems like a data leak in this system would have a pretty big impact.”
Thankfully, Birsan is one of the good guys – and informed Google responsibly of the vulnerabilities so that they could be patched promptly. For his efforts he was awarded a total of $15,600 in bounties.
But you can’t help but think that intelligence agencies and organised criminals would probably have been prepared to pay far more for details of bugs in Google’s system like this, especially when you consider the value of the unpatched vulnerabilities and exploit code that could have spilled out as a result.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.