A researcher has uncovered security holes in Google’s bug-tracking database that could have potentially resulted in malicious hackers accessing sensitive information, including details of ways to exploit unpatched vulnerabilities in Google products.

Researcher Alex Birsan has described how he managed to trick Google Issue Tracker (known internally to Google staff as Buganizer) into granting him access to much more information than would normally be allowed to external parties.

And the crux of the attack? Birsan found a way to trick Google into registering a @google.com account for him, something normally reserved for the company’s employees.

Normally Gmail prevents someone from creating an account with a @google.com address, but Birsan found a workaround:

No google.com address allowed

If I signed up with any other fake email address, but failed to confirm the account by clicking on a link received by email, I was allowed to change my email address without any limitations. Using this method, I changed the email of a fresh Google account to buganizer-system+123123+67111111@google.com.

Although the deceptive email address wasn’t enough to let Birsan past Google’s corporate login page, it did grant him a number of other benefits – including what appeared to be access to Google’s corporate taxi service, as well as deeper access into the company’s bug tracking system.

In addition, the researcher found a way to remove the limited functionality normally in place for outside developers accessing Google’s Issue Tracker.

Bugs in the system could have helped unauthorised parties access details of every vulnerability report sent to Google, opening the door for exploitation before a fix is made available.

As Birsan explains, the consequences of a data breach could have been serious:

“There are about 2000–3000 issues per hour being opened during the work hours in Mountain View, and only 0.1% of them are public. (Read more...)