Google Issue Tracker bug database found to have its own security vulnerability

2 Comments

Google's bug-tracking database -- the Google Issue Tracker which is known as the Buganizer System within the company itself -- had its own security holes which left it vulnerable to hackers.

Researcher Alex Birsan was able to exploit vulnerabilities so he could gain wider access to Google's database than he should have been able to. The trick was a simple matter of fooling the system into letting him register a @google.com email address that would ordinarily be reserved for Google employees.

See also:

In Google's own words, "Issue Tracker is intended for two sets of users: Public users of a limited set of approved projects designated by Google, and Partner users who are collaborating on specific projects with Google." The flaw discovered by Birsan was almost laughably simple, as he describes:

If I signed up with any other fake email address, but failed to confirm the account by clicking on a link received by email, I was allowed to change my email address without any limitations. Using this method, I changed the email of a fresh Google account to [email protected].

The first number in this email address is a componentID -- a number representing a category -- the second is issueID -- a unique identifier for the thread you are responding to.

Birsan explains that while Issue Tracker sees around 2,000 to 3,000 issues posted per hour, a mere one percent of these are publicly accessible. While the email trick did not grant him unfettered access to Issue Tracker, it did open up parts that would otherwise be invisible.

This was not the only vulnerability Birsan found. He also discovered that it was possible to be notified about internal tickets and more. He informed Google of his finding, earning himself $15,600 in bounties.

Image credit: testing / Shutterstock

2 Comments

2 Responses to Google Issue Tracker bug database found to have its own security vulnerability

Got News? Contact Us

Recent Headlines

TEAMGROUP unveils MP44Q M.2 PCIe 4.0 SSD

Cyberwarfare incidents reported by almost half of UK firms

Ransomware, meet DRaaS: The future of disaster mitigation

Get 'Modern DevOps Practices -- Second Edition' (worth $39.99) for FREE

Number of ransomware victims up 20 percent in first quarter of 2024

Low-code tools boost developer productivity

Cisco warns of serious CLI command injection vulnerability in its Integrated Management Controller

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.0 'pl'

61 Comments

Windows 11 slammed for its 'comically bad' performance even on high-end hardware

18 Comments

Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

17 Comments

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

16 Comments

Microsoft is up to its old tricks yet again -- Windows 10 users harassed with full-screen Windows 11 upgrade warnings

16 Comments

Easter giveaway! Get a licensed copy of 'VideoProc Converter for Windows/Mac' (worth $78.90) for FREE

10 Comments

EndeavourOS ARM discontinued: A huge loss for the Linux community

9 Comments

Install the KB5035942 update for Windows 11 to gain all of the Moment 5 features right now

8 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.