Google Issue Tracker Vulnerability: Flaw Let Anyone Access Sensitive Bugs

A number of security flaws in Google’s internal bug reporting system allowed for unauthorized access that revealed the most critical and severe vulnerabilities in the company’s products and services.

The flaws were first spotted by security researcher Alex Birsan, who found he could successfully access Google’s Issue Tracker —otherwise known as the “Buganizer”—and view the reported issues and problems discovered in Google’s own software.

While Issue Tracker is publicly accessible, very little information is available to the average user. It shows reported bugs and security vulnerabilities that have been reported by or assigned to a user to address—something that the typical Google user likely has no involvement in.

However, Birsan was able to achieve much more insight into the activity of Google’s issue monitoring service through the simple trick of spoofing a Google corporate email address that had significantly more access to bugs being tracked and fixed by the search giant.

The method revealed thousands of bug reports, including those marked as “priority zero”—the most severe and dangerous vulnerabilities that have yet to be addressed, making the security flaws ripe for abuse were they to fall into the wrong hands.

“Bug trackers used within prominent tech companies can be a hugely lucrative target for attackers looking to improve their zero-day capabilities,” Craig Young, a computer security researcher for security firm Tripwire, told International Business Times.

“Access to a private bug tracker gives the attackers lead time toward crafting an exploit as well as for finding related bugs before the public security community has a chance to do so,” Young explained.

Birsan noted in a blog post that an attacker could exploit the flaw by simply changing their email address to essentially any address, including Google corporate accounts that use the @google.com domain, by creating a fake account and not verifying it. By choosing not to verify, the user then has the ability to change the account name—including the domain—without limitation, allowing them to use the @google.com corporate domain.

The email address hosted on Google’s corporate domain doesn’t provide direct access to the company’s internal networks or servers but did grant significantly more access to the Issue Tracker, as the platform registered him an as employee and provided elevated privileges.

Once Birsan had access, he was able to read any bug report, send requests and interact with other reports on the platform. “I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters,” he wrote.

Birsan reported the issue to Google and the company quickly revoked his access and fixed the flaw that allowed him or any other attacker to pose as an employee. "We appreciate Alex's report,” a Google spokesperson said of the situation. “We've patched the vulnerabilities that he reported, as well as their variants."

Young of Tripwire advised organizations that handle sensitive vulnerability content “need to keep this data as tightly restricted as possible without creating an undue burden on development and testing teams.” He suggested created a separate bug tracker for security and non-security reports so the security-related issues could be more tightly monitored.