Bug in Google's Bug Tracker Lets Researcher Access List of Company's Vulnerabilities

Lorenzo Franceschi-Bicchierai, writing for Motherboard: Google's platform to deal with bugs and unpatched vulnerabilities had a bug that allowed a security researcher to see a full list of known, unpatched vulnerabilities within Google, creating a kind of bug inception that could have led to more damaging hacks. Alex Birsan, a security researcher, found three vulnerabilities inside the Google Issue Tracker, the company's internal platform where employees keep track of requested features or unpatched bugs in Google's products. The largest one of these was one that allowed him to access the internal platform at all. The company has quickly patched the bugs found by Birsan, and there's no evidence anyone else found the bugs and exploited them. Still, these were bad bugs, especially the one that gave him access to the bug-tracking platform, which could have provided hackers with a list of vulnerable targets at Google. "Exploiting this bug gives you access to every vulnerability report anyone sends to Google until they catch on to the fact that you're spying on them," Birsan told Motherboard in an online chat. "Turning those vulnerability reports into working attacks also takes some time/skill. But the bigger the impact, the quicker it gets fixed by Google. So even if you get lucky and catch a good one as soon as it's reported, you still have to have a plan for what you do with it."

Recursive Bugs

[Arzaboa]

A bug tracking site that lets you see the bugs before you report them. Novel.

Oblig. Yo dawg.

[houghi]

Yo dawg, I heard you liked bug reports, so we put bugs in you bug reports, so you can report bug reports while we read your bug reports with bugs about the bug reports.

Re:Google = fags

[omnichad]

Google only has two statuses. Beta and Discontinued. I believe that their fix for most broken products is to discontinue them.

Another oblig.

[Errol+backfiring]

At Google, the report bugs you!

Shouldn't we come up with a better naming system?

[CustomSolvers2]

Bug or glitch refer to something tiny, to the small mistakes which all we do. On the lines of showing wrong text, throwing an unhandled exception under very specific conditions or wrongly managing a specific input. But show what is being described here be called a bug? Allowing someone to enter in your highly-sensitive system?! By showing an extreme weakness in one of the most basic parts of a system which is very important for you company and which, presumably, has been built and improved for many years by very good developers? I cannot even imagine how that "bug" might look like. Were they redoing the login part and someone forgot the enable the password check?! This wouldn't be a minor problem, but almost terrorism! LOL.

I have a curious anecdote on these front which, back then, surprised me a lot but not that much lately. In any case, I was expecting a company like Google to behave a bit more professionally. Anyway, certain development team delayed the delivery of a multi-user web-based system for various months; despite that, they weren't even able to finish it and the development was passed to the next one (= myself; BTW, I was hired as a fixing-whatever guy, rather than a web developer). They said that the development was almost completed and that only some few bugs had to be fixed. At first sight, it was a quite big code, reasonably well structured and apparently working fine other than for the referred pending bugs. I started fixing bugs and everything was going fine until reaching a quite curious one. Apparently, the client (who was already starting to use that incomplete version) was seeing some weird images at very specific points. When looking into all this, I realised that all the users were sharing a big amount of (highly) private information!!!! That bunch of previous no-idea-how-to-call-them created all the interface, all the functionalities, all the nice code, documented everything, set up the login screens... and then reached a point which, apparently, they didn't know how to manage in that language (it was a .NET implementation) and just put there the first placeholder they found!!! As far as until that point the information in all the accounts was pretty much identical, everything seemed normal!! Incredible! They might have copy/paste or emulate or no idea what most of the common parts, but without really knowing what they were doing! And it was a team with more than 5 people (designers included).

This article and some comments in yesterday's one about web developers repeating security problems reminded me that experience. I do also recall that then I wasn't even sure about what expression should I use to describe that monstrosity! Bug? How could I use the same name for a normal output of almost any development than for what I cannot imagine that I could ever do! How could I continue working as a programmer (or even living! LOL) after having done something like that?! This isn't an error, a bug, something which might be somehow understandable. There is no explanation, justification, not even a designation accurately describing what I am referring in the previous paragraph. The funniest part is that that team has most likely continued working, even with that same client. Also, that client didn't understand even 1% of what I explained and, for him, this was just another bug! What a world/market place we live in!