'Holy Grail of Google bugs' exposed firm's full vulnerability database of known and unpatched flaws
Google has already patched the flaws and rewarded the researcher who uncovered them with over $15,000.
A security researcher uncovered a series of bugs in Google's internal bug tracking platform, called Google Issue Tracker aka the Buganizer, which allowed him access to Google's entire database of known and unknown vulnerabilities.
Security researcher Alex Birsan found three flaws within Google Issue Tracker, which is normally only accessible to internal Googlers monitoring bugs in the firm's products. The largest of the flaws gave Birsan the ability to access to the platform, which in turn allowed him to view the firm's entire list of dangerous vulnerabilities.
According to Birsan, the flaws could have been considered the "Holy Grail of Google bugs" given the kind of access it provided. In the hands of malicious hackers, such flaws could potentially have wreaked massive damage. However, "after finding it, I quickly realised that the impact would be minimised, because all the dangerous vulnerabilities get neutralised within the hour anyway", Birsan wrote in a blog.
"Exploiting this bug gives you access to every vulnerability report anyone sends to Google until they catch on to the fact that you're spying on them," Birsan told Motherboard. "Turning those vulnerability reports into working attacks also takes some time/skill. But the bigger the impact, the quicker it gets fixed by Google.
"So even if you get lucky and catch a good one as soon as it's reported, you still have to have a plan for what you do with it. I believe you'd have a pretty good chance of compromising Google accounts if you had a few specific targets and threw every attack at them. But a large scale attack that puts hundreds/thousands of people at risk? Not so much."
Birsan said he created a fake Google corporate email account, which he then used to trick the Buganizer into thinking he was a legitimate Google employee. This gave him higher privileges to view and bug reports and also receive updates and notifications on issues.
Google patched the flaws after Birsan reported them to the firm. "We appreciate Alex's report. We've patched the vulnerabilities that he reported, as well as their variants."
Birsan told Bleeping Computer that he received a "Nice catch!" response from the tech giant an hour after he reported the third bug.
Google rewarded the researcher with over $15,000 in bug bounties and was also given a grant of an additional $3,133 to continue his research on vulnerabilities with the Issue Tracker, ZDNet reported. "I'm very happy with the extra cash, and looking forward to finding bugs in other Google products," Birsan said.