by Gopal Singh

I bypassed “How I hacked Google’s bug tracking system itself for $15,600 in bounties.” Here’s how.

1*mpMfTqXU8TNd-bH5TsSAsw
Photo by rawpixel on Unsplash

Hello Everyone!

I was reading some write-ups, and I came across this bug which I liked: “Getting a Google employee account.” It was a nice find by Alex Birsan. I started testing the issue tracker, and I was trying to see if I could get a Google account. Then looking around in issue tracker, I noticed in the browse components there were two public issue trackers. So I clicked on Android Public Tracker.

I could see bugs reported to Android there. To report a Bug in the Android public issue tracker, you can send an email to:

buganizer-system+componentID@google.com

where android’s component id is 190923.

I could see that my issue got listed in the public issue tracker. I got a confirmation email from buganizersystem+my_email@google.com. A reply to this email would be directed to:

buganizer-system+componentID+issueID@google.com

I responded to that email, and a comment was posted in the conversation. I could add a Google email to see if I could get a confirmation code. To test this I clicked on Forwarding and POP/IMAP in Gmail settings and added the Google email to the forwarding email address. I was surprised to see I got a confirmation code in the Android public issue tracker.

There are two parts here to get a Google account Signup and verification. I could verify a Google account, but I could not signup for an @google.com account, so my report was closed as Won’t Fix. I almost gave up, because after the initial fix I could not use my google.com email. But I decided to give it one last try.

1*VPKKHkJihwBU5EGmiCO87Q

Then I started visiting every sub-domain of Google to see if I could use a google.com email to signup. This new signup page appeared (see below). Initially, I could not find “Use my current email address instead” to get it to go to https://partnerissuetracker.corp.google.com/. Then you would click on Create an account, and you could see there was an option to use your current email address.

1*FnYAmegCjYie3tJD31dW7A

My heart rate increased after seeing the new signup page. I began to sign up using the buganizer-system+componentID+issueID@google.com email and then it asked me to verify by entering the code.

Verify your email address

I was waiting for the verification code in the conversation, and then I received the verification code in the email and the conversation in the issue tracker.

1*2V5EtNmYL9dLuWzzE5Pahg
1*i3SoADa-WPpR624Nr9BPyA

After successfully signing up for the Google Account, I reopened the issue. The impact here was that you can access https://google.ridecell.com which requires a Google account. Besides this, I tried to upgrade my account to Gmail now as I had a Google account. I added it to my Gmail, and I was able to send an email using from buganizer-system+componentID+issueID@google.com

If you try to spoof google.com email, your mail will land in spam. But my email appeared in the inbox, and it was from @google.com so an attacker could pretend that they were a Google employee.

Nice catch!

1*OM8Cx-NTdPsFxkGJgMcqxQ

It was 9:50 PM when I was looking for bugs, and finally, the most awaited email arrived: I was getting $3133.70. I could not sleep the whole night.

1*cp_Noolq5VnWPNf3NqgNGg

Check out this video to see more:

Thanks to Alex Birsan — this would not have been possible without his write-up. I learned a lot from reading his write-up. Also, thanks to Avinash Jain and Alex Birsan for taking the time to review the draft.

Thanks for reading!

Gopal Singh (https://twitter.com/gopalsinghcse)