How I managed to get an @Google.com email address, bypassing their previous patch!

The Google Bug Tracker helps them(Google) in tracking through different bugs and security issues, but Gopal, a highly skilled security researcher managed to leverage and pilferage Google through its own issue tracker, isn't it quite creative? A defensive mechanism, since the same tool is used to track and patch security issues was implemented to pervade through Google's protection.

 Every organisation have bug trackers, in fact, for example most companies use external ones like Jira bug tracker to track and resolve bugs, so what makes Google's case unique in particular is their custom tailored Issue Tracker and it's features. Security researcher Gopal discovered that although Google had in the past attempted to fix several security issues in their Bug Tracker, yet, it was unsafe and indeed his firm conviction led to him finding a different issue, that can be called a regression but nevertheless, he bypassed Google's previous fix proving the fact - No system can be made "secure" (completely), no matter what amount of patches you make, this again shows the need for bug bounties to motivate and attract highly talented talented individuals as Gopal, and also motivates security researchers to use offensive methods as the one mentioned in this case, and keep trying harder to circumvent all security measures kept in place, even previous patches.

------------------------------------------------------

How I managed to get a Google organisation email, bypassing their previous patch!

I came across this writeup by Alex. I started testing the issue tracker, and I wanted to see if I could somehow manage to get an @google.com Account. In the issue tracker, I found the browse components feature. There were two public issue trackers, I clicked on Android Public Tracker

Bugs reported to Android showed up here. To report a Bug in Android public issue tracker you may simply send an email to-

buganizer-system+componentID@google.com

In this case, android’s component id is 190923.

The issue I made, got listed in the public issue tracker. I got a confirmation email from buganizersystem+my_email@google.com and hence, replies to the email would be directed to-

buganizer-system+componentID+issueID@google.com

I replied to that email and comment was posted in the conversation. I can add google email to see if I can get a confirmation code, to test this I clicked on Forwarding and POP/IMAP in Gmail settings and added the google email to the forwarding email address. I was surprised to see I got a confirmation code in the Android public issue tracker.

There are two parts here, to get a google account. Signup and verification. I can verify a google account, but I could not signup for a @google.com account so my report got closed as Won’t Fix. Bummer!

Then I started visiting every subdomain of Google to see if I could use google.com email to signup and this new signup page appeared.

I could feel my heartbeats racing, after coming across this new signup page. I signed up using the bug…@google.com email and then it asked me to verify by entering the code.

Verifying The email address

I was waiting for the verification code in the conversation and then received the verification code in the mail.

After successfully signing up for the Google Account, I reopened the issue.

Nice catch!

Finally, at 9:50 PM that day, the most awaited email arrived $3133.70. I could not sleep the whole night.

Video PoC

Thanks to Alex Birsan this would not be possible without his write-up. I learned a lot from reading write-ups