Pierluigi Paganini October 31, 2017

A flaw in the Google Issue Tracker, also known as the “Buganizer,” might have exposed details about unpatched flaws listed in the database.

A vulnerability in the Google Issue Tracker, also known as the “Buganizer,” might have exposed details about unpatched flaws listed in the database.

The flaw was reported by the bug hunter Alex Birsan who was awarded more than $15,000 in bounties for reporting this issue and two other vulnerabilities in the Issue Tracker.

One of the flaws allowed Birsan to manipulate a request to the system that would elevate his privileges, in this way he obtained every detail about a particular vulnerability.

Even if the Google Issue Tracker is open to everyone with a Google account, the majority of the issues in the database can only be viewed by Google employees. The expert found a bug that could have let him view every issue in the database.

Birsan found a JavaScript method that allows an individual to remove themselves from a CC list via a POST request like this one:

POST /action/issues/bulk_edit HTTP/1.1
{
 "issueIds":[
 67111111,
 67111112
 ],
 "actions":[
 {
 "fieldName":"ccs",
 "value":"[email protected]",
 "actionType":"REMOVE"
 }
 ]
}

The request allowed him to access full details of any bug in the Google Issue Tracker.

“However, I noticed some oversights here that led to a huge problem:

1. Improper access control: There was no explicit check that the current user actually had access to the issues specified in issueIds before attempting to perform the given action.
2. Silent failure: If you provided an email address that was not currently in the CCs list, the endpoint would return a message stating the email had been removed successfully.
3. Full issue details in response: If no errors occurred during the action, another part of the system assumed that the user had proper permissions. Thus, every single detail about the given issue ID would be returned in the HTTP response body.”

Birsan said he provided the system a few consecutive tracking numbers to confirm the issue.

“Obviously, I could now see details about every issue in the database by simply replacing issueIds in the request above. Bingo!” said the expert.

The expert was also able to exfiltrate data about multiple tickets in a single request.

“I only tried viewing a few consecutive IDs, then attacked myself from an unrelated account to confirm the severity of this problem. Yes, I could see details about vulnerability reports, along with everything else hosted on the Buganizer. Even worse, I could exfiltrate data about multiple tickets in a single request, so monitoring all the internal activity in real time probably wouldn’t have triggered any rate limiters.” Birsan added.

Birsan reported the issues to Google that disabled affected endpoint just one hour later.

Recently it was disclosed a similar incident by Microsoft, its internal bug-tracking system, a cyberespionage group stolen company vulnerabilities DB back in 2013.

The knowledge of zero-day vulnerabilities and other issues in Google products would be exploited in targeted attacks in the wild.

Pierluigi Paganini

(Security Affairs – Google Issue Tracker,  hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]