Google’s Issue Tracker, also known internally as the “Buganizer,” contained until recently a vulnerability that would allow an external party access to any unpatched bug listed and described in the database.
Alex Birsan, a software developer and hobbyist bug-hunter, collected more than $15,000 in bounties for finding this bug and two other unrelated flaws in the Issue Tracker. The most critical of the three vulnerabilities allowed him to manipulate a request to the system that would elevate his privileges and provide him access to every detail about a particular vulnerability.
Leave a reply
