- Phishing And Credential Stuffing Attacks Remain Top Threat To Financial Services Organizations And Customers: Study
- IT-Based Attacks Increasingly Impacting OT Systems: Study
- Learning Lessons From Cyber Security Incidents
- Top Cyber Threats Remain Consistent In 2019 But Attack Frequency To Rise: Study
- Majority Of Internet Users Fear Becoming A Victim Of Identity Theft And Account Takeover: Study
Flaws in Google’s Bug Tracker Exposed Company’s Vulnerability Database
By Nisheeth Bhakuni | October 31st, 2017
Discovered by Alex Birsan, the researcher describes the latter flaw as the
"Holy Grail of Google bugs" as it would have allowed an attacker access to
yet-to-be-fixed vulnerabilities in Google products.
The three flaws affected the Google Issue Tracker — also known as Buganizer — a forum-like application that tracks bug reports and security flaws for Google’s products.
“Buganizer is their central bug tracking system,” Birsan told Bleeping Computer, “so it’s very probable that it contained vulnerabilities for Google internal systems as well.”
“I can’t be sure 100% because I only did the minimum to confirm the vulnerability was real,” Birsan said. “I looked over a few consecutive vulnerability IDs that I should not have been able to see normally. But I’d say there’s a big chance that more interesting information was available in there.”
Usually, only Google employees and bug hunters have access to the Buganizer, and they usually get strict access, only to the bugs they report, or the bugs they’re supposed to fix.
Google’s can call itself lucky because a bug hunter found these flaws. In 2014, an attacker got unauthorized access to Microsoft’s internal vulnerabilities database. Mozilla suffered a similar incident in 2015.
Despite the possibility that an attacker could have gotten access to sensitive bug reports, Birsan explained in a Medium post that it would have been very difficult for an attacker to identify any usable flaws.
Nisheeth Bhakuni
