How I hacked Google’s bug tracking system itself for $15,600 in bounties

Have you ever heard of the Google Issue Tracker? Probably not, unless you’re a Google employee or a developer who recently reported bugs in Google tools. And neither had I, until I noticed my vulnerability reports were now being handled by opening a new thread there, in addition to the usual email notifications.

So I immediately started trying to break it.

So what exactly is this website? According to the documentation, the Issue Tracker (internally called Buganizer System) is a tool used in-house at Google to track bugs and feature requests during product development. It is available outside of Google for use by external public and partner users who need to collaborate with Google teams on specific projects.

In other words, when someone has an issue with a Google product, it goes in the issue tracker. Makes sense, right? We, as external users, only get to see the tip of the iceberg: A small set of pre-approved categories, and issues where someone at Google explicitly added an external account, such as vulnerability reports. But how much information lies under the surface?

By observing numerical IDs assigned to the latest public threads, we can easily estimate how much usage this tool gets internally. There are about 2000–3000 issues per hour being opened during the work hours in Mountain View, and only 0.1% of them are public. Seems like a data leak in this system would have a pretty big impact. Let’s break it!

Attempt #1: Getting a Google employee account

One of the first things I noticed upon discovering the issue tracker was the ability to participate in discussions by sending emails to a special address, which looks like this:

buganizer-system+componentID+issueID@google.com

(in which componentID is a number representing a category, and issueID is an unique identifier for the thread you are responding to)

This reminded me of a recent finding called the Ticket Trick, which allowed hackers to infiltrate into organizations’ chat systems by leveraging this kind of email system. Considering that this is an @google.com email address, I tried signing up to Google’s Slack team using it, and the confirmation page I got to looked very promising:

Alas, no email from Slack ever showed up.

The next best thing I could think of was getting a Google account with an @google.com main email address, which would hopefully give me some extra privileges on the Buganizer. Registering such an account from outside Google was not supposed to be allowed:

However, I found a method to bypass this filter: If I signed up with any other fake email address, but failed to confirm the account by clicking on a link received by email, I was allowed to change my email address without any limitations. Using this method, I changed the email of a fresh Google account to buganizer-system+123123+67111111@google.com.

Soon after, I received the confirmation email as a message on the corresponding issue page:

Nice! I clicked the confirmation link, logged in on the Issue Tracker, and …

I got redirected to the corporate login page. And no, my Google account credentials did not work there. Bummer.

Nevertheless, this account gave me a lot of extra benefits in other places across the internet, including the ability to hitch a ride (for free, maybe?), so it was still a security problem that opened a lot of doors for malicious users.

Accepted: 11 hours | Bounty: $3,133.7 | Priority: P1