A series of bugs allowed hackers to snoop into one of Google’s most sensitive internal systems.
Image: Shutterstock. Composite: Jason Koebler/Motherboard
Google's platform to deal with bugs and unpatched vulnerabilities had a bug that allowed a security researcher to see a full list of known, unpatched vulnerabilities within Google, creating a kind of bug inception that could have led to more damaging hacks.
Alex Birsan, a security researcher, found three vulnerabilities inside the Google Issue Tracker, the company's internal platform where employees keep track of requested features or unpatched bugs in Google's products. The largest one of these was one that allowed him to access the internal platform at all. The company has quickly patched the bugs found by Birsan, and there's no evidence anyone else found the bugs and exploited them.
Still, these were bad bugs, especially the one that gave him access to the bug-tracking platform, which could have provided hackers with a list of vulnerable targets at Google.
"Exploiting this bug gives you access to every vulnerability report anyone sends to Google until they catch on to the fact that you're spying on them," Birsan told Motherboard in an online chat. "Turning those vulnerability reports into working attacks also takes some time/skill. But the bigger the impact, the quicker it gets fixed by Google. So even if you get lucky and catch a good one as soon as it's reported, you still have to have a plan for what you do with it."
A Google spokesperson said in an email statement: "We appreciate Alex's report. We've patched the vulnerabilities that he reported, as well as their variants."
Access to the Google Issue Tracker—internally called Buganizer System—is normally limited to employees. External researchers can be granted access to specific threads, such as to the bugs they report. Birsan, however, found a way to circumvent the strict permissions and subscribe to any thread on the platform, allowing him to "see details about every issue in the database," as he explained in a blog post.
Birsan found that Google had programmed a way for external researchers to remove themselves from email lists. This worked the way it was intended, removing the person from the thread, and sending the details of the bug as a final message. But this mechanism had a problem: it didn't actually check if the user requesting to be removed had permission to access the issue in question. So it was possible for anyone to "unsubscribe" from issue they were never subscribed to and thus learn the details of the vulnerability.
"You'd have a pretty good chance of compromising Google accounts if you had a few specific targets and threw every attack at them."
Still, there's a reason Google is generally known for its good corporate security: Birsan said that with the vulnerabilities he saw, it would have been very difficult or perhaps impossible to launch a widespread attack that affected even a fraction of Google's users.
"I believe you'd have a pretty good chance of compromising Google accounts if you had a few specific targets and threw every attack at them," Birsan told me. "But a large scale attack that puts hundreds/thousands of people at risk? Not so much."
There's no evidence anyone other than Birsan found this bug, and Google patched it within an hour of his report, according to Birsan. But such a platform is a juicy target for bad guys, especially sophisticated hackers and government spies. On Oct. 17, Reuters revealed that hackers had breached Microsoft's internal database to track bugs into its own software in 2013.
Birsan found a total of three bugs in the platform. They are all patched now and he received rewards of $3,133.7, $5,000, and $7,500 for reporting them to Google.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.