Google Issue Tracker Bug, Now Fixed, Let Anyone See Internal List of Google Vulnerabilities

A security researcher discovered bugs in the Google Issue Tracker that deals with bugs and unpatched vulnerabilities, allowing potentially anyone to gain access to a full internal list. The bugs have since been fixed by Google.

According to a report in Motherboard in Wednesday, Alex Birsan found vulnerabilities inside the Google Issue Tracker - used internally to track unpatched bugs and feature requests for Google products.

The largest one of these was one that allowed the researcher to access the internal issue tracker. The company has quickly patched the bugs found by Birsan and there's no evidence anyone else found the bugs and exploited them, the report added.

Birsan found three bugs in the platform.

"Exploiting this bug gives you access to every vulnerability report anyone sends to Google until they catch on to the fact that you're spying on them," Birsan told Motherboard.

"They are all patched now and he received rewards of $3,133.7, $5,000, and $7,500 for reporting them to Google," the report said.

Issue Tracker is available outside of Google for use by external public and partner users who need to collaborate with Google teams on specific projects.

The platform has access control permissions that govern which users can find, view, create and modify issues for each project.

"We appreciate Alex's report. We've patched the vulnerabilities that he reported, as well as their variants," a Google spokesperson was quoted as saying.