Google’s Issue Tracker tool is used by the company to keep tabs on active vulnerability alerts, bug reports and feature requests across all its own products. If you suggest a new feature or a security company notifies Google of a vulnerability, the report will end up inside Issue Tracker where it’s assigned to an engineer.
The system is a lucrative target for malicious actors. Accessing the website could allow hackers to get the lowdown on serious security flaws before they’re patched, giving them a window of opportunity not to be missed. As Motherboard reports, security researcher Alex Birsan discovered it’s possible to do exactly that.
In a blog post, Birsan explained how he came across Issue Tracker while filing vulnerabilities he found in other Google products. After being redirected to the tool for the first time, he “immediately started trying to break it.” After three separate attacks, Birsan found a way to get the details on any issue currently saved within the system.
READ NEXT: Differential privacy use is growing – here’s what that means
The system had several weaknesses which could be combined to enable a full infiltration. Critically, access control mechanisms were implemented haphazardly. Several features did not explicitly check to see if the user was allowed to access them. By exploiting these vulnerabilities, access to the wider service could be obtained.
Google creates a lot of issues each day. Birsan observed up to 3,000 new reports being added every hour, indicating the scale at which Issue Tracker operates. An individual report could sit in the system for days or weeks before it’s fixed though. In the meantime, hackers could have read the details of the vulnerability, giving them an instruction manual on how to exploit it and the benefits of doing so.
Birsan was awarded a total of over $15,000 in bug bounties for his three separate attacks. The most serious of his findings, enabling access to any report in the tracker, was accepted by Google within an hour of his disclosure.
The attack comes less than two weeks after Reuters reported on a historical breach of Microsoft’s internal issue tracking database. The incident occurred in 2013 and was never publicly disclosed by the company. Attackers successfully entered the system and accessed vulnerability reports for Windows components. The information could have been used to craft new cyberattacks aimed specifically at weak areas of the software, demonstrating the risks of unsecured bug tracking sites.
