Slashdot Mirror
Bug in Google's Bug Tracker Lets Researcher Access List of Company's Vulnerabilities (vice.com)
Lorenzo Franceschi-Bicchierai, writing for Motherboard: Google's platform to deal with bugs and unpatched vulnerabilities had a bug that allowed a security researcher to see a full list of known, unpatched vulnerabilities within Google, creating a kind of bug inception that could have led to more damaging hacks. Alex Birsan, a security researcher, found three vulnerabilities inside the Google Issue Tracker, the company's internal platform where employees keep track of requested features or unpatched bugs in Google's products. The largest one of these was one that allowed him to access the internal platform at all. The company has quickly patched the bugs found by Birsan, and there's no evidence anyone else found the bugs and exploited them. Still, these were bad bugs, especially the one that gave him access to the bug-tracking platform, which could have provided hackers with a list of vulnerable targets at Google. "Exploiting this bug gives you access to every vulnerability report anyone sends to Google until they catch on to the fact that you're spying on them," Birsan told Motherboard in an online chat. "Turning those vulnerability reports into working attacks also takes some time/skill. But the bigger the impact, the quicker it gets fixed by Google. So even if you get lucky and catch a good one as soon as it's reported, you still have to have a plan for what you do with it."
A bug tracking site that lets you see the bugs before you report them. Novel.
Every FOS project has an open bug tracker. So how is this news worthy of Sloshdat, except in a negative way?
, and there's no evidence anyone else found the bugs and exploited them.
So are we arguing the absence of evidence is evidence of absence?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Good thing they have a bug tracking system, so they can track bugs in it.
Yo dawg, I heard you liked bug reports, so we put bugs in you bug reports, so you can report bug reports while we read your bug reports with bugs about the bug reports.
Don't fight for your country, if your country does not fight for you.
I heard you like bugs so....
....meta
Didn't pay out much for something so severe and worth much more on the black market.
Google only has two statuses. Beta and Discontinued. I believe that their fix for most broken products is to discontinue them.
Last I heard, Google has all of its internal services exposed to the public internet. This means that when an incident like this happens, anybody can exploit it.
Using a VPN (or equivalent, such as requiring a dynamic SOCKS tunnel through an SSH bastion, a.k.a. a jump host) would at least add one layer of protection beyond this: jump into the dev network (which may or may not be the same as the office network), then connect to internal services (selective use of proxies is made easier with things like FoxyProxy). That way you need access to the network in addition to access to the server within that network.
A subset of that network could be made available (via VLANs, IPTables on specific SSH bastions, or the like) for remote contractors who only need access to certain servers.
Use my userscript to add story images to Slashdot. There's no going back.
Will Manafort be in a fort?
Or locked up in county gaol?
Will he be put in Federal Pen?
Or just let out on bail?
At Google, the report bugs you!
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Bugs++;
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Muh dik only has two statuses, too. Plunging into your ass or pink-socking on the back stroke.
Bug or glitch refer to something tiny, to the small mistakes which all we do. On the lines of showing wrong text, throwing an unhandled exception under very specific conditions or wrongly managing a specific input. But show what is being described here be called a bug? Allowing someone to enter in your highly-sensitive system?! By showing an extreme weakness in one of the most basic parts of a system which is very important for you company and which, presumably, has been built and improved for many years by very good developers? I cannot even imagine how that "bug" might look like. Were they redoing the login part and someone forgot the enable the password check?! This wouldn't be a minor problem, but almost terrorism! LOL.
.NET implementation) and just put there the first placeholder they found!!! As far as until that point the information in all the accounts was pretty much identical, everything seemed normal!! Incredible! They might have copy/paste or emulate or no idea what most of the common parts, but without really knowing what they were doing! And it was a team with more than 5 people (designers included).
I have a curious anecdote on these front which, back then, surprised me a lot but not that much lately. In any case, I was expecting a company like Google to behave a bit more professionally. Anyway, certain development team delayed the delivery of a multi-user web-based system for various months; despite that, they weren't even able to finish it and the development was passed to the next one (= myself; BTW, I was hired as a fixing-whatever guy, rather than a web developer). They said that the development was almost completed and that only some few bugs had to be fixed. At first sight, it was a quite big code, reasonably well structured and apparently working fine other than for the referred pending bugs. I started fixing bugs and everything was going fine until reaching a quite curious one. Apparently, the client (who was already starting to use that incomplete version) was seeing some weird images at very specific points. When looking into all this, I realised that all the users were sharing a big amount of (highly) private information!!!! That bunch of previous no-idea-how-to-call-them created all the interface, all the functionalities, all the nice code, documented everything, set up the login screens... and then reached a point which, apparently, they didn't know how to manage in that language (it was a
This article and some comments in yesterday's one about web developers repeating security problems reminded me that experience. I do also recall that then I wasn't even sure about what expression should I use to describe that monstrosity! Bug? How could I use the same name for a normal output of almost any development than for what I cannot imagine that I could ever do! How could I continue working as a programmer (or even living! LOL) after having done something like that?! This isn't an error, a bug, something which might be somehow understandable. There is no explanation, justification, not even a designation accurately describing what I am referring in the previous paragraph. The funniest part is that that team has most likely continued working, even with that same client. Also, that client didn't understand even 1% of what I explained and, for him, this was just another bug! What a world/market place we live in!
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
Note to myself: when posting in the late afternoon, I should do an additional proofreading effort because I make too many mistakes :)
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
Note that my take about what I am describing in that previous post is that the bad ones (horrible ones, in this case, without technical skills, and also dishonest + ignorant clients losing money for crappy products) will certainly lose and that the system will sooner or later auto-correct itself. In case of being in a situation like this again, I would simply stop working with these people without being too surprised about their behaviour. I am fully focused on doing things properly, being as patient as incompetence and stupidity force me to be and by fully accepting my situation. No surprises, no disappointments, no anger (this never, other than joking), no hurry, every day higher expectations, etc. Why am I explaining all this you might ask? It is a patheticism-risk-minimisation technique. Clearer now? LOL.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
Note to myself: when posting in the late afternoon, I should do an additional proofreading effort because I make too many mistakes :)
And you want to write our code!?
And you want to write our code!?
Thanks for providing a real-life sample of the poor-understanding skills I was referring. You analyse my coding skills by looking at my relaxed English writing in an internet forum (or even at my English writing skills at all)! You think that the ideas in this post don't matter, just the few misspellings (properly speaking bugs, rather than monstrosities that would have been writing a completely incoherent post)! You expect the performance of a person after 21:00 (+ all the day working in a very unappealing development) to be the same than in normal work hours! All this makes loooots of sense! As much as sense as calling "bug" to letting someone into your system.
See, other AC, I know that you are kidding but have also inadvertently shown a not-appealing-to-me personality. You seem to be the kind of person who makes decisions without the required knowledge (yes, I see the irony). That's why and unfortunately for you, you should better look for someone else to take care of your code. LOL.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
And you want to write our code!?
Thanks for providing a real-life sample of the poor-understanding skills I was referring. You analyse my coding skills by looking at my relaxed English writing in an internet forum (or even at my English writing skills at all)! You think that the ideas in this post don't matter, just the few misspellings (properly speaking bugs, rather than monstrosities that would have been writing a completely incoherent post)!
Sheesh. It was meant to be good-natured ribbing in response to your own self-deprecating follow-up to your own comment.
But our chief security officer was such an idiot he never even knew we had the database so everything was fine.
More seriously, security requires a minds set of at least some of your employees. Someone inside google should have been messing around and found this. If no one inside google was allowed to mess around at almost anything they want then there's a problem.
Sheesh. It was meant to be good-natured ribbing in response to your own self-deprecating follow-up to your own comment.
Sorry. I am very tired of random misunderstandings and prefer to be in the safest side, at least in public/random/ACs setups. Just look at the LOLs near all my non-evident bits! Writing all these clarifications is very far from ideal and I wouldn't do it if it wasn't required.
In any case, my point still holds: thinking that making English mistakes or even writing carelessly under these conditions has anything to do with my coding/working skills is preposterous. Despite that fact, there is a huge number of people with low-to-no technical skills (potential clients, recruiters, unexperienced programmers, etc.) whose ridiculous decisions have a negative impact on everyone; and these decisions are based upon so stupid ideas like seeing spelling/grammar errors. These people don't accept themselves and their unsuitability to assess certain knowledge; so, they rely on what they know by wrongly assuming that their expectations, fears and random assumptions have anything to do with people like me.
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
Oh my god! I hate working with coders like you! Everytime someone talks to you, it's like you spit out this massive text wall as if you're trying to defend your doctoral thesis with every comment you post. Also, guys like that tend to write shitty code and try to defend it with bizarre dissertations that never actually solve the original problem.
Oh my god! I hate working with coders like you! Everytime someone talks to you, it's like you spit out this massive text wall as if you're trying to defend your doctoral thesis with every comment you post.
?! Words and concepts confuse you a lot, right? You are the kind of person who mostly "communicates" through emojis, aren't you? When you don't understand something or it requires too much effort you get frustrated and attack everyone? Are you the kind of PR/HR/CEO coming up with expressions like "bug" to explain what is being described in this article? LOL. I don't think that you and I (and perhaps the coders you refer) even belong to the same world. The only reason why we are in the same working dimension is because of stupidity: lots of money, lots of possibilities and tons of extremely bad decisions.
Also, guys like that tend to write shitty code and try to defend it with bizarre dissertations that never actually solve the original problem.
Thanks again for proving my point. See? There are people so blind, so ignorant and so arbitrary that can easily come up with such generic and prejudicious nonsense from virtually anything and provoke problems everywhere. BTW, my work speaks for itself, I don't need to justify anything: it works exactly as intended, reliability and under a huge variety of conditions, not like the jokes you can find nowadays virtually everywhere. Do you know the funniest bit? That I can beat you even at having random prejudices, as proven in the paragraphs below :) (with the smiley everything gets clearer to you, eh? I am giver! LOL).
Your problem isn't not knowing, but not accepting that fact and making stupid decisions affecting many others. You expect everyone to listen to your incoherent expectations and, of course, someone else to bear the blame when everything goes wrong because you don't know what you are talking about. You have tons of prejudices (this is what idiots do to compensate their lack of knowledge and acceptation of such a reality), but are also probably calling others racist or misogynists or narcissistic on a regular basis and for no good reason. You don't create/solve/improve anything; you don't innovate; you don't even treat others fairly and respectfully (just apply whatever rules the current trend says); all what you do is trying to justify and perpetuate your position in the system, mostly via nepotism, unfairness and impositions. You are the leech which isn't happy just with getting blood from the host, but which also wants it to do whatever and gets angry when it dies precisely because of doing such a thing.
You and all what you represent are the cancer of software development; and, hopefully, it will come the day when all you will leave. And you will take with you all your emojies, abstract words, trends, fears, arbitrariness, incompetence, etc. and go to become party promoters or politicians or bankers or mobsters or whatever other field will accept your random impositions and talking-a-lot-without-knowing; or you might even move to a more logical position within software development: do you want to earn money from my work, but you know nothing about it? OK. Shut up! Don't bother me! Don't think that we have anything to do with each other; I don't like you, but you provide what I need! Let me do my work and enjoy the results! If that day ever comes, software development would become a serious technical field with professional people mostly caring about technical aspects, rather than about whatever stupidity the in-house clowns decide to come up with
Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.