The now-patched privacy flaw puts unsecured resources in jeopardy
Google has just fixed a bug in its cloud platform that made it possible for attackers to obtain a list of service accounts in a Google Cloud Platform (GCP) project.
The bug, found by security researcher Ezequiel Pereira, could potentially enable cybercriminals to gain access to unsecured resources.
Pereira found the security hole while probing GCP’s Identity and Access Management API (IAM API).
Among IAM API’s functions is the management of service accounts, special non-user Google accounts that give apps access to resources and functions.
The IAM function that provides a list of service accounts in a Google project takes a PageToken parameter, which returns a subset of the results and is used when the list contains more items than can fit on a page.
In his research, Pereira found out that PageToken is a base64 string that contains several bits of information, including the project number and ID of the last service account it has returned.
The researcher further discovered that if he created a custom PageToken value with another project number, he could obtain a list of service accounts for that project, even if he didn’t have access to it.
Unsecured resources at risk
Alarmingly, the IAM audit log did not register the unauthorized access to the queried project. Pereira also found a way to trick the Google authentication service into revealing project numbers, so that they could be fed into the IAM service account listing function.
If an attacker ascertained project IDs from the project numbers, they would then be able to obtain even more information, including the identity of Google Cloud customers and possibly a list of unsecured resources, such as unsecured Cloud Storage buckets, App Engine apps, and Container Registry repositories.
“By listing per-product, per-project service accounts, I believe it would have been possible to gather a huge list of GCP project numbers, which could in turn be resolved into project IDs,” Pereira told The Daily Swig.
“Project IDs are PII per se, but they are also useful [for] finding resources, such as App Engine apps or Container Registry images that may not have been properly secured.”
Pereira said that since resources are managed by users, security issues arising from their own mishandling could not be blamed on Google.
“It is worth noting, though,” he added, “that Google also uses GCP for several of their own products. And they also leave misconfigured resources, so the issue could have eventually affected Google anyway.”
In a blog post revisiting his discovery, Pereira confirmed that he has found another security issue that resolves project IDs from project numbers.
“This issue is in a different GCP API (not the IAM API), but it relies on using undocumented features, so I'd guess it is safe to assume it is unlikely for a real attacker to find it,” he said.
“I'm sure Google is working on a fix, but I don't have visibility into that.”
Pereira, who is based in Uruguay, has been bug hunting on Google platforms since 2016 when he was still in high school. He has reported several vulnerabilities in Google Cloud in recent years, including two that netted him bug bounties worth $31,000 and $36,000.