Flaws in Google’s Bug Tracker Exposed Company’s Vulnerability Database
Discovered by Alex Birsan, the researcher describes the latter flaw as the
"Holy Grail of Google bugs" as it would have allowed an attacker access to
yet-to-be-fixed vulnerabilities in Google products.
The three flaws affected the Google Issue Tracker — also known as Buganizer — a forum-like application that tracks bug reports and security flaws for Google’s products.
“Buganizer is their central bug tracking system,” Birsan told Bleeping Computer, “so it’s very probable that it contained vulnerabilities for Google internal systems as well.”
“I can’t be sure 100% because I only did the minimum to confirm the vulnerability was real,” Birsan said. “I looked over a few consecutive vulnerability IDs that I should not have been able to see normally. But I’d say there’s a big chance that more interesting information was available in there.”
Usually, only Google employees and bug hunters have access to the Buganizer, and they usually get strict access, only to the bugs they report, or the bugs they’re supposed to fix.
Google’s can call itself lucky because a bug hunter found these flaws. In 2014, an attacker got unauthorized access to Microsoft’s internal vulnerabilities database. Mozilla suffered a similar incident in 2015.
Despite the possibility that an attacker could have gotten access to sensitive bug reports, Birsan explained in a Medium post that it would have been very difficult for an attacker to identify any usable flaws.
