With so many products and services out there, it’s only natural that clever people will eventually discover bugs in Google’s offerings. What’s less common, however, is members of the general populace finding bugs in the company’s internal systems – and in Alex Birsan’s case, it was in Google’s own bug tracker.
The security researcher explained in a blog post how he came across a security flaw in Google’s Issue Tracker, which lists all the bugs and feature requests in the company’s products that have been reported by users and developers, and need to be tackled.
By looking at how the Issue Tracker handled the correspondence about a bug he reported, Birsan figured out that he needed an @google.com email address to access the internal bug database – which he then secured with a crafty little trick. That address didn’t work at the gate, but it did let him access some other areas and even request a ride through Google’s GRide corporate car service.
Next, he used a simpler method to listen in on bugs – simply starring a large number of them in tracker would allow him to receive notifications about the progress on them. However, Birsan found that this only worked “on translation-related conversations, where people would debate the best ways to convey the meaning of a phrase in different languages.”
In his third attempt, he messed around with the Issue Tracker’s API and cracked a way to receive all the details about a bug, simply by requesting the API to remove an email address from an issue thread.
Birsan’s snooping netted him a total of $15,600 in bounties for the three bugs he reported in Google’s system, and he noted that the company fixed one of the issues within an hour of his reporting it. Not bad for a day’s work, eh?
Birsan’s entire post detailing his exploits and findings is worth a read: find it over on this page.