An internal website Google uses to track bugs and feature requests throughout the product development cycle was accessible by external users, which could allow hackers to see a list of known, unpatched vulnerabilities.
A Medium post by security researcher Alex Birsan today said the vulnerability, and two others, were patched promptly by Google when he discovered them. In his blog post, Birsan details the steps he took to find the vulnerabilities in the Google Issue Tracker, which paid out $15,600 in bug bounties.
As companies grapple with finding the right cybersecurity talent, bug bounty programs allow them to find vulnerabilities at a pace that matches the rate that security threats pop up. Google has a well-developed bug bounty program while companies like Synack bring a similar crowdsourced security approach to companies who may not have the internal capacity to manage payout negotiations.
External users are given access to the Issue Tracker (internally referred to at Google as the Buganizer System) when they are collaborating with Google users on specific projects, Birsan said, but their access is fairly restricted.
Exploiting a method that allowed external users to remove themselves for the CCs list if they no longer want to be sent updates about issues, Birsan was able to see details about every issue in the database – even those he wasn’t supposed to have access to in the first place as an external user.
“I only tried viewing a few consecutive IDs, then attacked myself from an unrelated account to confirm the severity of this problem. Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer. Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters,” Birsan said.