A Romanian bug hunter has found three flaws in Google's official bug tracker, one of which could have been used to exposed sensitive vulnerabilities to unauthorized intruders.

Discovered by Alex Birsan, the researcher describes the latter flaw as the "Holy Grail of Google bugs" as it would have allowed an attacker access to yet-to-be-fixed vulnerabilities in Google products.

An attacker could have used these flaws for his own purpose or sold such information on the dark market for huge paydays, putting hundreds of millions of Google users at risk.

Flaws granted access to sensitive bug reports

The three flaws affected the Google Issue Tracker — also known as Buganizer — a forum-like application that tracks bug reports and security flaws for Google's products.

"Buganizer is their central bug tracking system," Birsan told Bleeping Computer, "so it's very probable that it contained vulnerabilities for Google internal systems as well."

"I can't be sure 100% because I only did the minimum to confirm the vulnerability was real," Birsan said. "I looked over a few consecutive vulnerability IDs that I should not have been able to see normally. But I'd say there's a big chance that more interesting information was available in there."

Usually, only Google employees and bug hunters have access to the Buganizer, and they usually get strict access, only to the bugs they report, or the bugs they're supposed to fix.

Three flaws found in Google's bug tracker app

Birsan — who is a Python developer at a Romanian cyber-security company — says he identified the bugs while off-duty between September 27 and October 4. He found three issues, as follows:

⇾ A way to register a @google.com email address using the Buganizer's generic email address naming scheme.
⇾ A way to subscribe and receive notifications for bugs that he wasn't supposed to have access to.
⇾ A way to trick the Buganizer API to grant him access to every bug.

Google awarded the researcher $3,133.7 for the first bug, $5,000 for the second, and $7,500 for the third.

Birsan told Bleeping he received a "Nice catch!" reply one hour after he reported the third bug. Bug hunters don't usually receive such quick responses unless they've reported something big.

Not as bad as the Microsoft and Mozilla incidents

Google's can call itself lucky because a bug hunter found these flaws. In 2014, an attacker got unauthorized access to Microsoft's internal vulnerabilities database. Mozilla suffered a similar incident in 2015.

Despite the possibility that an attacker could have gotten access to sensitive bug reports, Birsan explained in a Medium post that it would have been very difficult for an attacker to identify any usable flaws.

The attacker would have had to sift through thousands of bug reports per hour. Birsan said he saw between 2000–3000 new issues reported per hour.

Furthermore, Birsan said his bug report was triaged and most likely fixed within an hour. "I realized that the impact [of an intruder gaining access to Buganizer] would be minimized, because all the dangerous vulnerabilities get neutralized within the hour anyway."

Image credit: Alex Birsan