The bug allowed the researcher to see the most sensitive vulnerabilities in Google’s services. However the bug was patched within an hour of learning about the exploit.
Google has an internal platform called Google Issue Tracker that tracks a list of bugs and unpatched vulnerabilities, but that platform itself had a bug that allowed one security researcher to access anything on the list, reports Motherboard. This would have permitted someone to view all of Google’s requested features and unpatched bugs, potentially allowing hackers to exploit the information. Google has since patched the flaw.
Security researcher Alex Birsan was able to access that information by using a function that allows external researchers to unsubscribe from email lists about particular issues. Once unsubscribed, the system would then send details of the bug in a final response. The system assumed the user had permission in the first place, so Birsan found that if he unsubscribed from a particular list he had never actually subscribed to, he could still get details of different vulnerabilities. Birsan was able to see vulnerability reports along with “everything else” on the Issue Tracker.
“Exploiting this bug gives you access to every vulnerability report anyone sends to Google until they catch on to the fact that you’re spying on them,” Birsan told Motherboard. “Turning those vulnerability reports into working attacks also takes some time/skill. But the bigger the impact, the quicker it gets fixed by Google. So even if you get lucky and catch a good one as soon as it’s reported, you still have to have a plan for what you do with it.”
Google patched the bug within one hour of Birsan notifying them of the exploit. “We appreciate Alex’s report. We’ve patched the vulnerabilities that he reported, as well as their variants,” a Google spokesperson said in an email statement to Motherboard.
In all, Birsan was awarded a little over $15,600 in bug bounties from Google for the three bugs.
He was also given $3,133 as an additional grant to continue research on vulnerabilities with the Issue Tracker.
When reached, a Google spokesperson said: “We appreciate Alex’s report. We’ve patched the vulnerabilities that he reported, as well as their variants.”