Google Pays $15,600 Reward, Fixes Bug Tracker In an Hour
It’s a score to find a severe software vulnerability in a widely used Google product. But finding information on all unpatched software flaws reported to Google is a whole new, frightening level.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
That’s exactly what one security researcher pulled off. Alex Birsan found he could gain access to a Google database used to track reported software flaws, a reservoir of information that would be incredibly useful to hackers.
His technique involved determined experimentation that capitalized on several oversights by Google. He was paid $15,600 in bug bounties for reporting three vulnerabilities, the most serious of which would have allowed him to view details about every reported software flaw.
A Google spokesman says the company appreciates Birsan’s findings and that the vulnerabilities and possible variants have been fixed. Birsan notes that if attackers had discovered the flaw, they would have had to act quickly.
“When I first started hunting for this information leak, I assumed it would be the Holy Grail of Google bugs, because it discloses information about every other bug,” he writes in a blog post. “However, after finding it, I quickly realized that the impact would be minimized, because all the dangerous vulnerabilities get neutralized within the hour anyway.”
Bug tracking databases have long been sought after by hackers, says Craig Williams, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team.
“Access to a private bug tracker gives the attackers lead time toward crafting an exploit as well as for finding related bugs before the public security community has a chance to do so,” Williams says.
Microsoft discovered in 2013 that a secret internal database containing information on critical and unfixed vulnerabilities had been compromised, Reuters reported on Oct. 16, citing five former company employees.
The same hacking group – referred to as Morpho, Butterfly and Wild Neutron – that compromised Microsoft also hit Apple, Twitter and Facebook. Microsoft acknowledged an intrusion in early February 2013, but did not say at the time that bug information had been stolen.
Mozilla, the developer of the Firefox browser and other software, said in September 2015 an attacker had gained access to its Bugzilla bug tracking and reporting tool by compromising the account of a user with higher-level privileges.
The attacker gained access to 185 non-public bugs, but only 10 posed a temporary risk of exploitation before Mozilla patched.
Google uses a system called the Issue Tracker to keep track of vulnerability reports and feature requests during product development. The system is known as the “Buganizer” internally, Birsan writes. He recently noticed that vulnerability reports he submitted to Google launched a new thread in the Issue Tracker.
The Issue Tracker is a mixed public-private system, with those on the public side only having limited access. Birsan sought to get higher-level privileges, but found that it required a google.com account, which is reserved for employees.
He tried to create one, but it was rejected. But he discovered he could create a random email address, not click the corresponding confirmation email that is sent out and change the random address to a google.com one.
Birsan writes he didn’t get any higher-level privileges in the Issue Tracker, but a google.com address opens up other perks, including booking a GRide, which apparently is a car service for employees. Google awarded him $3,133 for the bug.
He kept digging, though, into the Issue Tracker. Birsan eventually found he could “star” an ongoing issue in the tracker, meaning he could track issues to which he wasn’t supposed to have access.
“Access control rules never seemed to be applied on this endpoint, so I logged in to my second account and tried to star a vulnerability report from my main account by replacing the Issue ID in the request,” he writes.
It worked, but unfortunately, many of the issues that he gained access to weren’t that interesting.
“Apparently, I could only eavesdrop on translation-related conversations, where people would debate the best ways to convey the meaning of a phrase in different languages,” he writes.
Nonetheless, Google gave him $5,000 for this report. He writes that Google’s “security team would probably be interested in finding possible pivot methods and variants.”
CC: Fix Me
Birsan finally stumbled upon the big one that let him see all bugs. Those who are tracking issues can unsubscribe themselves from updates when they lose interest. But Birsan found the system did not check if the person was actually ever authorized to see the issue.
When someone unsubscribed, the Issue Tracker sent a confirmation that included all of the information related to the bug. By swapping Issue ID numbers, Birsan could access any problem in the system.
“I could see details about vulnerability reports, along with everything else hosted on the Buganizer,” he writes. “Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters.”
Google awarded him $7,500 for the report and fixed it within an hour, he writes.