1. 15
  1.  

  2. 3

    Silent failure: If you provided an email address that was not currently in the CCs list, the endpoint would return a message stating the email had been removed successfully.

    That was listed as an oversight that led to a problem, but that actually sounds like a reasonable security feature to me - you should not be able to find out who is following as issue by trying to remove them.

    1. 3

      Seems plausible Google didn’t go over Buganizer as carefully as they do many public-facing products because it seemed like an internal product, and the external audience that gets access (folks who successfully reported a security bug) seemed semi-trusted. I bet there are a lot of security issues in code that’s meant for semi-trusted audiences like this: a company’s vendors, say, or a small number of special high-value clients, or employees (when employees have access to a tool but shouldn’t all have ‘root’ on it). Place to look for issues in our own stuff potentially.

      1. 1

        Agreed—this is a prime example of security through obscurity. Tons of small shops do this sort of thing every day, employing only what security is necessary to keep out the passerby who isn’t too tech-savvy.

        One would hope a place like Google wouldn’t lean on obscurity, but here they are doing it.

        1. 2

          Agreed—this is a prime example of security through obscurity. Tons of small shops do this sort of thing every day, employing only what security is necessary to keep out the passerby who isn’t too tech-savvy.

          Oh, huh, you’re right and it’s different from what I originally thought. I had thought they had proper access control so that only bug reporters could access the tool, but weren’t securing products for that audience as well as they would secure apps that just anyone can trivially browse to. But, in fact, it looks like it’s public (at least, I can just browse to issuetracker.google.com), so it really was just a more obscure product being less thoroughly scrubbed for issues.

      2. 2

        I like that they get progressively funnier as you go along. The second vuln had me giggling, the third grinning. :)

        1. 1

          I hope google actually gave this guy a bounty of $3,133.7 :)

          1. 1

            Just curious, where did you find this link?

            1. 1

              Sorry, I don’t recall now :(