Flaw in Google’s Issue Tracker exposed vulnerabilities

[German]Fail: A flaw in Google's Issued Tracker gave a security researcher access to the internal bug database, which contained the most sensitive vulnerabilities in Google's services.


Advertising

Google's in-house bug reporting system, known as Issue Tracker, is used by security researchers and bug hunters to report issues and vulnerabilities in Google's software, services, and products.

Ordinary users get very limited access to the Issued Tracker. But a security researcher found out that counterfeiting a Google corporate email address gave him access to the back end of the system and thousands of bug reports. Some of the reports have been marked as Priority Zero. These are the most serious and dangerous vulnerabilities that a hacker could use to cause immeasurable damage.

Alex Birsan, who discovered the vulnerabilities, believes that an attacker could attack and potentially take over Google accounts, using the internal bug reports from Issue Tracker. Even more serious, however, is the fact that a vulnerability could have been used to infiltrate Google's internal network.

Birsan writes in a summary of his findings that he has created a Gmail account. This process allowed a user to have his new email address changed to any email address (including Google corporate accounts) before verifying the new account by email. He was able to generate a Google corporate email address during this process.

Although Birsan's newly created fake Google company account did not allow him direct access to the corporate network, the email address was sufficient to fool the Issue Tracker. Increased privileges have been granted to display and interact with bug reports, e. g. to receive alerts and updates about problems.


Advertising

He could then send modified requests to the Issue Tracker server so that he could read any bug report stored within the database. This included read access to the most sensitive vulnerabilities noted in the Issue Tracker. The security gap has now been closed. (via)


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *