Google has patched a flaw affecting its Issue Tracker tool that enabled an attacker to expose reports for open vulnerabilities found in its products.

Security researcher Alex Birsan came across the vulnerability while attempting to break the Issue Tracker. Internally known as the Buganizer System, Google uses this utility to track bugs and feature requests during product development. External public and partner users can access the Issue Tracker, but the version they see displays only a small set of the tool’s activity.

Birsan expands upon this limited view:

“By observing numerical IDs assigned to the latest public threads, we can easily estimate how much usage this tool gets internally. There are about 2000–3000 issues per hour being opened during the work hours in Mountain View, and only 0.1% of them are public. Seems like a data leak in this system would have a pretty big impact. Let’s break it!”

Source: Alex Birsan

Over the course of his work, the security researcher detected three flaws in Issue Tracker. The first enabled him to create a @google.com email address, access (but not authenticate himself using) the corporate Google sign-in page, and enjoy other benefits while surfing the web. Meanwhile, he used the second flaw to receive notifications about internal reports.

The third vulnerability was by far the most serious. He found that users have the option of removing themselves from the CCs list if they don’t want to receive emails. This method, however, suffered from several weaknesses, including improper access control and full issue details provided in response.

Birsan determined he could leverage these weaknesses to view details about every issue in the database:

“I only tried viewing a few consecutive IDs, then attacked myself from an unrelated account to confirm the severity of this problem. Yes, I (Read more...)