Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Bug Google

Bug in Google's Bug Tracker Lets Researcher Access List of Company's Vulnerabilities (vice.com) 37

Lorenzo Franceschi-Bicchierai, writing for Motherboard: Google's platform to deal with bugs and unpatched vulnerabilities had a bug that allowed a security researcher to see a full list of known, unpatched vulnerabilities within Google, creating a kind of bug inception that could have led to more damaging hacks. Alex Birsan, a security researcher, found three vulnerabilities inside the Google Issue Tracker, the company's internal platform where employees keep track of requested features or unpatched bugs in Google's products. The largest one of these was one that allowed him to access the internal platform at all. The company has quickly patched the bugs found by Birsan, and there's no evidence anyone else found the bugs and exploited them. Still, these were bad bugs, especially the one that gave him access to the bug-tracking platform, which could have provided hackers with a list of vulnerable targets at Google. "Exploiting this bug gives you access to every vulnerability report anyone sends to Google until they catch on to the fact that you're spying on them," Birsan told Motherboard in an online chat. "Turning those vulnerability reports into working attacks also takes some time/skill. But the bigger the impact, the quicker it gets fixed by Google. So even if you get lucky and catch a good one as soon as it's reported, you still have to have a plan for what you do with it."
This discussion has been archived. No new comments can be posted.

Bug in Google's Bug Tracker Lets Researcher Access List of Company's Vulnerabilities

Comments Filter:
  • by Arzaboa ( 2804779 ) on Monday October 30, 2017 @01:03PM (#55458035)

    A bug tracking site that lets you see the bugs before you report them. Novel.

    • by sinij ( 911942 )
      A true recursive implementation would be a bug in a bug tracking algorithm that reports itself.
      • A true recursive implementation would be a bug in a bug tracking algorithm that reports itself.

        Only if bug tracking algorithms report bugs, rather than tracking them. Either of "A bug in a bug tracking algorithm that tracks itself" or "A bug in a bug reporting algorithm that reports itself" would work.

        • by sinij ( 911942 )
          I stand corrected.

          Also, if such algorithm reports a bug in itself, how would we ever know it is not a bug?
    • Bugs++;
  • , and there's no evidence anyone else found the bugs and exploited them.

    So are we arguing the absence of evidence is evidence of absence?

    • , and there's no evidence anyone else found the bugs and exploited them.

      So are we arguing the absence of evidence is evidence of absence?

      For now, yes.

      We have enough demand for perpetuating bullshit (a.k.a. fake news) in other arenas. No need to add fuel to that fire.

    • , and there's no evidence anyone else found the bugs and exploited them.

      So are we arguing the absence of evidence is evidence of absence?

      That's a definite maybe...

  • Good thing they have a bug tracking system, so they can track bugs in it.
  • by houghi ( 78078 ) on Monday October 30, 2017 @01:14PM (#55458113)

    Yo dawg, I heard you liked bug reports, so we put bugs in you bug reports, so you can report bug reports while we read your bug reports with bugs about the bug reports.

  • Last I heard, Google has all of its internal services exposed to the public internet. This means that when an incident like this happens, anybody can exploit it.

    Using a VPN (or equivalent, such as requiring a dynamic SOCKS tunnel through an SSH bastion [wikipedia.org], a.k.a. a jump host [wikibooks.org]) would at least add one layer of protection beyond this: jump into the dev network (which may or may not be the same as the office network), then connect to internal services (selective use of proxies is made easier with things like Fo [getfoxyproxy.org]

    • by mysidia ( 191772 )

      would at least add one layer of protection beyond this

      But it sucks for users. Also, the solution of VPNs doesn't even really scale when you consider the requirements facing companies like Google, and it's not necessary, and at the end of the day they still need to provide their internal services seamlessly to their internal users distributed throughout the world, And not have the access impacted by such menial things as datacenter failures.

      The concept of an isolated IP network island controlled by

  • Bug or glitch refer to something tiny, to the small mistakes which all we do. On the lines of showing wrong text, throwing an unhandled exception under very specific conditions or wrongly managing a specific input. But show what is being described here be called a bug? Allowing someone to enter in your highly-sensitive system?! By showing an extreme weakness in one of the most basic parts of a system which is very important for you company and which, presumably, has been built and improved for many years by very good developers? I cannot even imagine how that "bug" might look like. Were they redoing the login part and someone forgot the enable the password check?! This wouldn't be a minor problem, but almost terrorism! LOL.

    I have a curious anecdote on these front which, back then, surprised me a lot but not that much lately. In any case, I was expecting a company like Google to behave a bit more professionally. Anyway, certain development team delayed the delivery of a multi-user web-based system for various months; despite that, they weren't even able to finish it and the development was passed to the next one (= myself; BTW, I was hired as a fixing-whatever guy, rather than a web developer). They said that the development was almost completed and that only some few bugs had to be fixed. At first sight, it was a quite big code, reasonably well structured and apparently working fine other than for the referred pending bugs. I started fixing bugs and everything was going fine until reaching a quite curious one. Apparently, the client (who was already starting to use that incomplete version) was seeing some weird images at very specific points. When looking into all this, I realised that all the users were sharing a big amount of (highly) private information!!!! That bunch of previous no-idea-how-to-call-them created all the interface, all the functionalities, all the nice code, documented everything, set up the login screens... and then reached a point which, apparently, they didn't know how to manage in that language (it was a .NET implementation) and just put there the first placeholder they found!!! As far as until that point the information in all the accounts was pretty much identical, everything seemed normal!! Incredible! They might have copy/paste or emulate or no idea what most of the common parts, but without really knowing what they were doing! And it was a team with more than 5 people (designers included).

    This article and some comments in yesterday's one about web developers repeating security problems reminded me that experience. I do also recall that then I wasn't even sure about what expression should I use to describe that monstrosity! Bug? How could I use the same name for a normal output of almost any development than for what I cannot imagine that I could ever do! How could I continue working as a programmer (or even living! LOL) after having done something like that?! This isn't an error, a bug, something which might be somehow understandable. There is no explanation, justification, not even a designation accurately describing what I am referring in the previous paragraph. The funniest part is that that team has most likely continued working, even with that same client. Also, that client didn't understand even 1% of what I explained and, for him, this was just another bug! What a world/market place we live in!
    • Note to myself: when posting in the late afternoon, I should do an additional proofreading effort because I make too many mistakes :)
    • Note that my take about what I am describing in that previous post is that the bad ones (horrible ones, in this case, without technical skills, and also dishonest + ignorant clients losing money for crappy products) will certainly lose and that the system will sooner or later auto-correct itself. In case of being in a situation like this again, I would simply stop working with these people without being too surprised about their behaviour. I am fully focused on doing things properly, being as patient as inc
  • But our chief security officer was such an idiot he never even knew we had the database so everything was fine.

    More seriously, security requires a minds set of at least some of your employees. Someone inside google should have been messing around and found this. If no one inside google was allowed to mess around at almost anything they want then there's a problem.

He's like a function -- he returns a value, in the form of his opinion. It's up to you to cast it into a void or not. -- Phil Lapsley