Google Issue Tracker Exploit Allowed the Viewing of Unpatched Vulnerabilities
Google recently launched a new Issue Tracker and with all new pieces of software, there are bound to be various bugs that may not have been brought to the attention of the developers. Recently, a security researcher named Alex Birsan started noticing his vulnerability reports were being handled by opening a thread within the platform. Inciting his curiosity, the researcher started trying to “break it” and what resulted was a bug that allowed someone to view a full list of known, unpatched vulnerabilities within Google.
Many of us are familiar with Android’s monthly security updates as we talk about them each and every month. But some people may not realize the process that goes into this entire cycle. What generally happens is the security researcher finds the vulnerability, contacts Google about it and then has it verified through the Android bounty program. The two parties agree to time frame as to when they can go public with it and by then Google is generally able to get the patches to 3rd-party OEMs a month before they begin updating their Nexus and Pixel devices.
This means that at any given time the Google Issue Tracker has a list of vulnerabilities that are unpatched and that can be quite dangerous in the hands of the wrong person. This doesn’t only happen with Android devices either since Google uses this Issue Tracker for all of its services. Mr. Birsan found three vulnerabilities within the Google Issue Tracker with the largest of the three allowing them to see a full list of known, unpatched vulnerabilities within Google.
Thankfully Mr. Birsan contacted Google about these vulnerabilities and Google was very quick to respond and fix them (within hours). The company says that so far, there hasn’t been any evidence discovered that would lead them to believe someone else found the bugs and exploited them. For those who are more interested in the details, you’ll definitely want to read through his experience on his recent Medium article.
Via: Motherboard Source: @alex.birsan