Bug in Google's Bug Tracker Lets Researcher Access List of Company's Vulnerabilities (vice.com) 37
Lorenzo Franceschi-Bicchierai, writing for Motherboard: Google's platform to deal with bugs and unpatched vulnerabilities had a bug that allowed a security researcher to see a full list of known, unpatched vulnerabilities within Google, creating a kind of bug inception that could have led to more damaging hacks. Alex Birsan, a security researcher, found three vulnerabilities inside the Google Issue Tracker, the company's internal platform where employees keep track of requested features or unpatched bugs in Google's products. The largest one of these was one that allowed him to access the internal platform at all. The company has quickly patched the bugs found by Birsan, and there's no evidence anyone else found the bugs and exploited them. Still, these were bad bugs, especially the one that gave him access to the bug-tracking platform, which could have provided hackers with a list of vulnerable targets at Google. "Exploiting this bug gives you access to every vulnerability report anyone sends to Google until they catch on to the fact that you're spying on them," Birsan told Motherboard in an online chat. "Turning those vulnerability reports into working attacks also takes some time/skill. But the bigger the impact, the quicker it gets fixed by Google. So even if you get lucky and catch a good one as soon as it's reported, you still have to have a plan for what you do with it."
Re: (Score:3)
Google only has two statuses. Beta and Discontinued. I believe that their fix for most broken products is to discontinue them.
Recursive Bugs (Score:4, Funny)
A bug tracking site that lets you see the bugs before you report them. Novel.
Re: (Score:2)
Re: (Score:2)
A true recursive implementation would be a bug in a bug tracking algorithm that reports itself.
Only if bug tracking algorithms report bugs, rather than tracking them. Either of "A bug in a bug tracking algorithm that tracks itself" or "A bug in a bug reporting algorithm that reports itself" would work.
Re: (Score:2)
Also, if such algorithm reports a bug in itself, how would we ever know it is not a bug?
LOLROFLBBQ! (Score:2)
yea, yeah, evidence, absence.... (Score:2)
, and there's no evidence anyone else found the bugs and exploited them.
So are we arguing the absence of evidence is evidence of absence?
Re: (Score:2)
, and there's no evidence anyone else found the bugs and exploited them.
So are we arguing the absence of evidence is evidence of absence?
For now, yes.
We have enough demand for perpetuating bullshit (a.k.a. fake news) in other arenas. No need to add fuel to that fire.
Re: (Score:2)
, and there's no evidence anyone else found the bugs and exploited them.
So are we arguing the absence of evidence is evidence of absence?
That's a definite maybe...
I hope they submitted a bug report (Score:2)
Comment removed (Score:5, Funny)
Another oblig. (Score:3)
Re: (Score:2)
This bugs the bug people! Bugs in your bugs while you debug your debugger. Bugs!
...because Google doesn't have a VPN? (Score:2)
Last I heard, Google has all of its internal services exposed to the public internet. This means that when an incident like this happens, anybody can exploit it.
Using a VPN (or equivalent, such as requiring a dynamic SOCKS tunnel through an SSH bastion [wikipedia.org], a.k.a. a jump host [wikibooks.org]) would at least add one layer of protection beyond this: jump into the dev network (which may or may not be the same as the office network), then connect to internal services (selective use of proxies is made easier with things like Fo [getfoxyproxy.org]
Re: (Score:1)
would at least add one layer of protection beyond this
But it sucks for users. Also, the solution of VPNs doesn't even really scale when you consider the requirements facing companies like Google, and it's not necessary, and at the end of the day they still need to provide their internal services seamlessly to their internal users distributed throughout the world, And not have the access impacted by such menial things as datacenter failures.
The concept of an isolated IP network island controlled by
Comment removed (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
We didn't even give our CSO access (Score:2)
More seriously, security requires a minds set of at least some of your employees. Someone inside google should have been messing around and found this. If no one inside google was allowed to mess around at almost anything they want then there's a problem.