A serious vulnerability within Google's own bug-tracking system was recently found by a security researcher, which could have potentially exposed confidential and sensitive information to the public.
Alex Birsan, who calls himself a "Software guy", was able to let the Google Issue Tracker system (known internally as Buganizer) give him access to some internal pages by trying to register a @google.com account. Normally, this domain is reserved for Google employees, but he found a way to circumvent it nonetheless:
If I signed up with any other fake email address, but failed to confirm the account by clicking on a link received by email, I was allowed to change my email address without any limitations. Using this method, I changed the email of a fresh Google account to buganizer-system+123123+67111111@google.com.
After Birsan clicked the confirmation link sent and logged in on the Issue Tracker, he was immediately redirected to the corporate login page of Google employees. While his Google credentials did not work, he apparently still gained access to the company's taxi service.
He was also able to get notified about internal bug tickets, with the ability to comment on issues and star certain entries. However, being an external user, he realized that there were only limited privileges included.
The researcher further emphasized the severity of the exploit on the bug-reporting system: "There are about 2000–3000 issues per hour being opened during the work hours in Mountain View, and only 0.1% of them are public. Seems like a data leak in this system would have a pretty big impact."
Birsan received a total of $15,600 for reporting the vulnerabilities.
Back in August, a student was rewarded with $10,000 after finding a security flaw within the Google App Engine server.
Source: Alex Birsan via Tripwire
1 Comment - Add comment