Researcher claims $15,000 bug bounty by picking holes in Google’s bug tracker
There’s good money to be made as an ethical hacker. Companies like Facebook, Google and Microsoft all operate bug bounty programs where they offer decent payouts for finding holes in their software that need urgent attention. The reward varies depending on the company, the software and the seriousness of the bug – but one bug bounty hunter discovered that Google’s own bug tracking software was a veritable treasure trove of possible rewards, netting himself $15,633.70 from three different bugs.
You can read Alex Birsan’s full account here for the nitty-gritty of how he managed to access “Google Buganizer”, but here are the basics. The first exploit Birsan found was that to access Google’s internal bug tracking services, he’d need a Google email address, which are locked down for non-Googlers. He discovered that by not clicking the confirmation link when signing up for a regular Google account, he was able to change the email address to a @google.com one without limitations. This didn’t give him access to the Buganizer but did give him other unusual privileges – like being able to hail a Google campus taxi. This bug was fixed in 11 hours and netted Birsan $3,133.70.
Next, Birsan tried to listen in on bug discussions by starring a number of them on the tracker. This allowed him to eavesdrop a little – but only on issues of translations, where people would discuss “the best ways to convey the meaning of a phrase in different languages.” Of limited use to a hacker then, but still enough to net him an extra $5,000, once Google had closed the bug five hours later.
Finally, Birsan hit the motherload. After fiddling with the Buganizer’s API, he uncovered a way to receive all the juicy details of a bug by requesting the API remove an email address from an issue thread. This most serious of bugs was closed within an hour of Birsan reporting it and netted him a whopping $7,500.
“When I first started hunting for this information leak, I assumed it would be the Holy Grail of Google bugs because it discloses information about every other bug,” Birsan writes. “However, after finding it, I quickly realised that the impact would be minimised because all the dangerous vulnerabilities get neutralized within the hour anyway. Therefore, I’m very happy with the extra cash, and looking forward to finding bugs in other Google products.”
Three vulnerabilities are fixed, and an ethical hacker is $15,633.70 richer. Everybody wins.