Google's Gerrit Platform Flaw Exposes 18 Google Projects, Including ChromiumOS, to Hackers

A critical vulnerability, dubbed “GerriScary,” has been discovered in Google’s Gerrit code-collaboration platform, putting at least 18 major Google projects—including ChromiumOS, Chromium, Dart, and Bazel—at risk of unauthorized code submissions by hackers.

This flaw, uncovered by Tenable Cloud Research, highlights the dangers of misconfigured permissions in open-source development environments and the potential for large-scale supply chain attacks.

The GerriScary Vulnerability

Gerrit, developed by Google, is a widely used web-based system for code review and collaboration.

It allows developers to propose, discuss, and approve code changes before they are merged into project repositories.

However, Tenable researchers found that a combination of default permissions and logic flaws in Gerrit’s review process could allow any registered user to inject malicious code into trusted Google projects without detection.

The vulnerability centers on two main Gerrit mechanisms: permissions and labels. Permissions define what actions users can ...