The heart of tech

This article was published on November 1, 2017


Researcher finds bug in Google bug tracker, gains partial access and scores $15,000 in bounties

Researcher finds bug in Google bug tracker, gains partial access and scores $15,000 in bounties
Abhimanyu Ghoshal
Story by

Abhimanyu Ghoshal

Managing Editor

Abhimanyu is TNW's Managing Editor, and is all about personal devices, Asia's tech ecosystem, as well as the intersection of technology and Abhimanyu is TNW's Managing Editor, and is all about personal devices, Asia's tech ecosystem, as well as the intersection of technology and culture. Hit him up on Twitter, or write in: [email protected].

With so many products and services out there, it’s only natural that clever people will eventually discover bugs in Google’s offerings. What’s less common, however, is members of the general populace finding bugs in the company’s internal systems – and in Alex Birsan’s case, it was in Google’s own bug tracker.

The security researcher explained in a blog post how he came across a security flaw in Google’s Issue Tracker, which lists all the bugs and feature requests in the company’s products that have been reported by users and developers, and need to be tackled.

By looking at how the Issue Tracker handled the correspondence about a bug he reported, Birsan figured out that he needed an @google.com email address to access the internal bug database – which he then secured with a crafty little trick. That address didn’t work at the gate, but it did let him access some other areas and even request a ride through Google’s GRide corporate car service.

Next, he used a simpler method to listen in on bugs – simply starring a large number of them in tracker would allow him to receive notifications about the progress on them. However, Birsan found that this only worked “on translation-related conversations, where people would debate the best ways to convey the meaning of a phrase in different languages.”

In his third attempt, he messed around with the Issue Tracker’s API and cracked a way to receive all the details about a bug, simply by requesting the API to remove an email address from an issue thread.

Birsan’s snooping netted him a total of $15,600 in bounties for the three bugs he reported in Google’s system, and he noted that the company fixed one of the issues within an hour of his reporting it. Not bad for a day’s work, eh?

Birsan’s entire post detailing his exploits and findings is worth a read: find it over on this page.

Also tagged with