low

GCP Cloudshell Cross-Site WebSocket Hijacking (CSWSH)

Published Wed, Mar 11th, 2020

Platforms

Summary

Google Cloudshell leveraged websockets without validating that the origin matched the current instance host. An attacker could therefore host a CSWSH attack on a Cloudshell instance they own, disabling authentication via access to the underlying VM. They could then start the OAuth process with a spoofed host header, using phishing to get the target Cloud Shell user into following a redirection link, completing the OAuth process and ending in successful CSWSH, which would allow the attacker to hijack the target user's requests.

Affected Services

GCP Cloudshell

Remediation

null

Tracked CVEs

No tracked CVEs

References

https://ψ.fun/i/yvpMj https://security.googleblog.com/2020/03/announcing-our-first-gcp-vrp-prize.html

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Psi

More vulnerabilities...

high

Google wide domain check bypass

A vulnerability in Google's common JavaScript library allowed bypassing domain validation checks across multiple Google products. By using a backslash character in URLs, an attacker could make the ...

David SchützMar 8, 2020

critical

Azure App Service RCE

A Vulnerability in App Service could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system, thereby escaping the sandbox. This vulnerability allowed ...

Ronen Shustin, Check PointJan 30, 2020

AWS uploaded sensitive data to public GitHub bucket

An AWS employee pushed sensitive data to a public github bucket, including customer information and credentials. Note: This issue is outside the scope of this database's usual criteria for inclusio...

UpguardJan 23, 2020

View all