Kit Wai Chan - Fotolia

Google Buganizer flaw reveals unpatched vulnerability details

A security researcher earned more than $15,000 by finding three flaws in the Google Issue Tracker, aka Buganizer, which revealed details on unpatched vulnerabilities.

A security researcher uncovered several flaws in Google's Issue Tracker that exposed data regarding unpatched vulnerabilities...

listed in the database.

Google describes the Issue Tracker, more commonly known as the Buganizer, as a tool used internally to track bugs and feature requests in Google products. However, Alex Birsan, software developer and researcher, found three flaws in the Buganizer, the most severe of which allowed an elevation of privileges and exposed data on unpatched vulnerabilities.

The less critical issues Birsan found allowed him to essentially use a Buganizer issue ID as an official email address -- although he could not use this email to log in to Google systems -- and to get notifications for internal tickets to which he shouldn't have had access. Those two flaws alone took Birsan about 16 hours of work and netted him a little more than $8,000 in bug bounty rewards, but then came the major issue.

Revealing Buganizer data

"When you visit the Issue Tracker as an external user, most of its functionality is stripped away, leaving you with extremely limited privileges," Birsan wrote in a blog post. "If you want to see all the cool stuff Google employees can do, you can look for API endpoints in the JavaScript files. Some of these functions are disabled completely, others are simply hidden in the interface."

Birsan found that Google's Buganizer had a few issues in handling POST requests through the API.

"There was no explicit check that the current user actually had access to the issues specified in issueIds before attempting to perform the given action," Birsan wrote. "If no errors occurred during the action, another part of the system assumed that the user had proper permissions. Thus, every single detail about the given issue ID would be returned in the HTTP response body."

Birsan claimed he checked the issue a few times and "could see details about vulnerability reports, along with everything else hosted on the Buganizer. Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn't have triggered any rate limiters."

Finding this flaw only took Birsan one hour, but it netted him $7,500 in reward. Birsan said he initially expected more because he thought the Buganizer issue was more severe, but he said the "impact would be minimized, because all the dangerous vulnerabilities get neutralized within the hour anyway."

Next Steps

Learn about the Google Play bug bounty hunting for Android vulnerabilities.

Find out about the best bug tracking software available for enterprise.

Get info on the application testing tools your enterprise needs.

Dig Deeper on Risk management