Google’s Bug Tracker Had Bug Itself

A researcher earned $15,600 from Google’s bug hunting program… for finding a bug in Google’s bug hunting program.

The ironic discovery was by Alex Birsan, who was reporting another bug for what’s formally called the Google Vulnerability Reward Program. It pays between $100 and the oddly-specific $31,337 for spotting security flaws in Google systems and products. (Editor’s note: $31,337 = Eleet/Elite)

Until recently, most users would receive updates on their reports through e-mail exchanges, but Birsan discovered he was also able to see his report added to the Issue Tracker. That’s the internal bug tracking system known inside Google as the Buganizer System. Birsan estimates that a mere 0.1 percent of the records on the tracker are meant to have any form of public access, usually as limited viewing rights for the person who reported the bug.

He then tried a variety of tricks to get more access. The first was creating a Google account and then taking advantage of a loophole that meant he could change the address before confirming it. This didn’t get him the access to Buganizer that he had hoped, but did earn a separate bounty from Google when he reported it.

The second tactic was simply starring threads on the issue tracker in the hope of getting notifications when they were updated (for example, with replies giving more details). That turned out to only work in the oddly-limited situation of Google staff discussing translations.

Finally Birsan found the answer when he examined the coding behind the Issue Tracker. He discovered a way Google staff could send a POST request to the server with an issue ID number to remove themselves from the CC list of notifications for that particular issue. It turned out that making a bogus request using an email address that wasn’t already on the list meant he could view all the details for the issue in question, something that worked for any issueID.

The upshot was that, had he wanted to, Birsan could have created a complete list of all bugs Google was exploring, complete with details and their current progress on fixing them. That’s something that would naturally be of great interest to black hat hackers.

[Via: The Next Web]