Google’s bug-tracking database — the Google Issue Tracker which is known as the Buganizer System within the company itself — had its own security holes which left it vulnerable to hackers.
Researcher Alex Birsan was able to exploit vulnerabilities so he could gain wider access to Google’s database than he should have been able to. The trick was a simple matter of fooling the system into letting him register a @google.com email address that would ordinarily be reserved for Google employees.
In Google’s own words, “Issue Tracker is intended for two sets of users: Public users of a limited set of approved projects designated by Google, and Partner users who are collaborating on specific projects with Google.” The flaw discovered by Birsan was almost laughably simple, as he describes:
If I signed up with any other fake email address, but failed to confirm the account by clicking on a link received by email, I was allowed to change my email address without any limitations. Using this method, I changed the email of a fresh Google account to [email protected]
The first number in this email address is a componentID — a number representing a category — the second is issueID — a unique identifier for the thread you are responding to.
Birsan explains that while Issue Tracker sees around 2,000 to 3,000 issues posted per hour, a mere one percent of these are publicly accessible. While the email trick did not grant him unfettered access to Issue Tracker, it did open up parts that would otherwise be invisible.
This was not the only vulnerability Birsan found. He also discovered that it was possible to be notified about internal tickets and more. He informed Google of his finding, earning himself $15,600 in bounties.