Now-patched API vulnerability allowed attacker to access sensitive resources
Leaking access token
Schütz found the bug while doing research on Discovery Documents, data structures that provide specifications for Google API services. While exploring the Discovery Documents, Schütz stumbled on an interesting service called Jobs API, whose name suggested it was an internal service.
The Jobs API led him to an application on the Google App Engine that served as a proxy to make the API available through Google’s public product marketing pages. The proxy served as an intermediary that provided access to the API, which meant it had an access token that could potentially serve as a window for SSRF attacks.
The proxy prevented access to internal Google resources by running request URLs through a whitelist. But with a little fiddling, Schütz was able to trick the URL parser and bypass the whitelist to send requests to arbitrary servers. This enabled him to send requests from the proxy app to a VPS server he ran on Google Cloud.
The request exposed the proxy app’s access token, which he could then use to send requests to other internal Google Cloud projects.
“In this particular bug, the core issue was a URL parsing bug, which lead to the SSRF,” Schütz told The Daily Swig.
Accessing resources, running arbitrary code
Through the access token, Schütz was able to obtain a list of accessible internal projects, cloud storage buckets, virtual machines, and the administration interface of the proxy application.
Through the latter, he was able to access logs that had sensitive user information (though he did not download any of the logs) and instances of the app itself, which could be reverse-engineered to obtain its source code.
The administrative interface is especially dangerous because it has full control of the App Engine instance, allowing an attacker to disrupt the service, collect user information, or upload malicious code.
To show the impact of the bug, Schütz created and uploaded a Python application on the proxy service that returned a base64 message. To avoid disrupting the main service, he uploaded the application as a non-default version of the proxy service.
“This issue feels like an industry-wide problem since different applications are parsing URLs based on different specifications,” Schütz said.
“After disclosing the initial issue in the Google JS library, I have already seen this getting fixed in products from different companies as well. Even though, this issue still keeps popping up even at Google. This SSRF is a great example of it.”
Schütz was rewarded a $4,133 bounty by the Google Vulnerability Rewards Program for the discovery.
After the bug was fixed, he had another shot at the proxy and saw that although the original exploit no longer worked, the URL parser could still be bypassed through another scheme. Reporting this new bug got him another $3,133 in double bounty.
He later got a further $3,133 by discovering and reporting that old versions of the proxy application were still up and running.