Discovery of bug in Google’s bug tracking database lands researcher $15,600 in bug bounties
A security researcher is in the money after he discovered a bug that allowed him to access Google’s database of bugs.
The researcher in question Alex Birsan noted in a blog posting that the ‘easy bugs for hard cash’ concerned the Google Issue Tracker.
This is a database, that Google like many other tech firms maintains, that tracks all the active bugs, flaws and vulnerabilities with their products, as well as requested features in various tools. Its publication could have been extremely dangerous for all Google users.
This inhouse database is also used by outside partners of Google, and Birsan said that once he noticed that his vulnerability reports were being handled by this database, he naturally decided to break it.
“By observing numerical IDs assigned to the latest public threads, we can easily estimate how much usage this tool gets internally,” said Birsan. “There are about 2000-3000 issues per hour being opened during the work hours in Mountain View, and only 0.1% of them are public. Seems like a data leak in this system would have a pretty big impact. Let’s break it!”
It seems as though it took Birsan just three attempts to break into it. First he tricked Gmail into providing him with a company email address (@google.com), but was then foiled by a corporate login page which did not recognise his Google account credentials.
“Nevertheless, this account gave me a lot of extra benefits in other places across the internet, including the ability to hitch a ride (with Google’s car service), so it was still a security problem that opened a lot of doors for malicious users,” he said.
This earned him a $3,133 bug bounty payment from Google.
His second attempt was a bit simpler in that he began to favour a number of issues in the bug tracker database using a phony email address. Favouring an issue meant he received notifications when the issue is updated.
This bug netted him a $5,000 bug bounty.
“When designing this limited version of the system, someone was nice enough to leave in a method for us remove ourselves from the CCs list if we lose interest in an issue or simply don’t want to receive emails about it any more,” blogged Birsan.
“If no errors occurred during the action, another part of the system assumed that the user had proper permissions,” Birsan wrote. The API then removed the email address and Birsan was able to access the details of any bug in the Issue Tracker.
For this discovery, Google paid Birsan a bug bounty of $7,500.
“I could see details about vulnerability reports, along with everything else hosted on the Buganizer,” he wrote. “Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters.”
He said that Google’s security team had the affected endpoint disabled one hour after he reported it.
“When I first started hunting for this information leak, I assumed it would be the Holy Grail of Google bugs, because it discloses information about every other bug (for example, HackerOne pays a minimum of $10,000 for something similar),” he concluded. “However, after finding it, I quickly realised that the impact would be minimised, because all the dangerous vulnerabilities get neutralised within the hour anyway. Therefore, I’m very happy with the extra cash, and looking forward to finding bugs in other Google products.”
And over the years Google has been steadily increasing the amount of money it pays researchers for finding and reporting bugs and flaws.
Last year for example Google doubled its Chrome bug bounty from $50,000 to $100,000 for persistent compromise of a Chromebook in guest mode.