Flaw in Google’s Bug Database Allowed Access to Unpatched Vulnerability Details
A series of bugs - since fixed - could have afforded an attacker access to Google's internal bug tracking database.
A researcher managed to break into Google’s bug tracking database recently, something which could have allowed him to learn details behind known, unpatched vulnerabilities in the company’s products.
The series of three flaws - which Google has since fixed - could have had disastrous implications if they were exploited. If undetected, an attacker could have taken their time to stitch together exploits for the vulnerabilities and strategically carried them out.
Alex Birsan, a software developer and part time bug hunter, uncovered the vulnerabilities and earned a $15,600 bounty from Google for his findings.
Birsan described the vulnerabilities in a lengthy Medium post on Monday.
The researcher first began to poke around the database, internally known as Google’s Buganizer System, after he realized his own reports were being handled via the site.
It took some heavy lifting but Birsan’s first discovery was that Google allowed him to change a fake, fresh email to the email of a new @Google.com account as long as he never confirmed the fake account by clicking through a link he received. While this particular vulnerability wasn't central to his final hack, he claims he was able to use it in various spots around the internet and that it was something that "opened the doors for malicious users."
Birsan also discovered he could "star" issues in the issue tracker, something that signals a user is interested in receiving email notifications.
"Access control rules never seemed to be applied on this endpoint, so I logged in to my second account and tried to star a vulnerability report from my main account by replacing the Issue ID in the request,” Nirsan wrote.
By backtracking - Birsan took the ID range of recent issue and starred them all - he found he could eavesdrop on bits and pieces of conversations. The bug fetched $5,000
The coup d’etat however came when Birsan discovered an API endpoint that allows an individual to remove themselves from a CC list by sending a POST request. Due to some oversights in the code – Birsan simply replaced issueIds in the POST request – he found he could view details around any issue in the database.
The researcher claims one of the biggest failsafes, a check that was supposed to verify the user actually has access to the issues specified in issueIds didn’t exist. On top of that, if no error occurred while a user was doing this, the system assumed the user was fine and had adequate permissions. The user could then see every detail about the issue ID in the HTTP response body.
Google fixed all of the issues quickly but it was the last one, which divulged data surrounding known vulnerabilities, that merited the highest payout. The company fixed the affected endpoint in an hour and paid Birsan $7,500 for the bug.
While Birsan earned $15,600 for his findings, it can be argued the true worth of the actual vulnerability data behind the flaws far exceeds that sum. Each bug was branded "P0," meaning the issues needed to be addressed immediately and with as many resources as required. If an attacker had managed to leverage the last bug before it was fixed it could have been a real nuisance for Google, albeit something the company likely could've quickly fixed.
Google was one of the first companies, years ago, to institute a bug bounty program; the highest payout the company currently offers is $31,337 for remote code execution bugs - like command injection or sandbox escapes - that allow the takeover of a Google account. While the program has always focused on Google, YouTube, and Blogger sites, it wasn't until two weeks ago that the company began incentivizing researchers who can find bugs in apps on its Google Play marketplace. The program, dubbed the Google Play Security Reward Program, launched via HackerOne, on October 19.