Tech companies typically have a long list of bugs that need to be fixed, and a system that engineers can use to keep track of them. Such systems often hold information about critical security flaws, and the results could be catastrophic if malicious hackers were to access them.
This week, security researcher Alex Birsan said in a blog post that he was able to break into Google’s Issue Tracker, the company’s internal database of bugs and vulnerabilities, and it took him just three attempts.
First, he managed to trick Gmail into giving him a company email address, i.e. @google.com, but hit a wall when a corporate login page didn’t let him through with that alone.
“Nevertheless, this account gave me a lot of extra benefits in other places across the internet,” Birsan said in a blog post about his endeavor to break into the Issue Tracker. One of those benefits, he wrote, was access to Google’s corporate car service. Birsan reported the bug to Google and received a bounty of more than $3,000 for his work. (Bug bounty programs like Google’s are common among big tech companies.)
In his second attempt, Birsan tried a simpler approach, and programmatically favorited a few thousand issues in the tracker with a phony email address. When an authenticated user favorites an issue, they receive notifications when the issue is updated, which apparently include detailed descriptions about the bugs themselves. The idea was that when Googlers commented on the issues he favorited, the information would be sent to the email address he had set up. It sort of worked, but not to the extent Birsan had hoped.
“Apparently,” he wrote in his blog post, “I could only eavesdrop on translation-related conversations, where people would debate the best ways to convey the meaning of a phrase in different languages.”
That bug, once he reported it to Google, netted Birsan a $5,000 bounty.
Finally, Birsan decided to look at the Issue Tracker’s application programming interface (API), which allows developers with access to the system to perform tasks programmatically. The Issue Tracker API has very limited functionality accessible to the public, but enough for Birsan to find a way in. He noticed that when he sent a request to the API to remove an arbitrary email address from an issue thread, it would remove the address without checking to see if it had access to the thread in the first place.
“If no errors occurred during the action, another part of the system assumed that the user had proper permissions,” Birsan wrote. The API would remove the email address, then send back “every single detail” about the issue as a response. And just like that, he could access the details of any bug in the Issue Tracker. When he reported it to Google, he said, the company paid him a bug bounty of $7,500.
Google quickly fixed all of the issues Birsan discovered and reported. He had expected the database would be full of critical vulnerabilities, he wrote, but that was not what he found.
“I quickly realized that the impact would be minimized, because all the dangerous vulnerabilities get neutralized within the hour anyway,” he wrote in his blog post.
Earlier this month, Reuters reported that a similar bug database at Microsoft had been broken into in 2013. Microsoft determined that the vulnerabilities in the database were not exploited in breaches at other organizations that took place at the time, according to the report, but some of the former employees Reuters spoke with were not so sure.