low

GCP Cloudshell Cross-Site WebSocket Hijacking (CSWSH)

Published Wed, Mar 11th, 2020

Platforms

Summary

Google Cloudshell leveraged websockets without validating that the origin matched the current instance host. An attacker could therefore host a CSWSH attack on a Cloudshell instance they own, disabling authentication via access to the underlying VM. They could then start the OAuth process with a spoofed host header, using phishing to get the target Cloud Shell user into following a redirection link, completing the OAuth process and ending in successful CSWSH, which would allow the attacker to hijack the target user's requests.

Affected Services

GCP Cloudshell

Remediation

null

Tracked CVEs

No tracked CVEs

References

https://ψ.fun/i/yvpMj https://security.googleblog.com/2020/03/announcing-our-first-gcp-vrp-prize.html

Contributed by https://github.com/ramimac

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Psi

More vulnerabilities...

critical

Azure App Service RCE

A Vulnerability in App Service could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system, thereby escaping the sandbox. This vulnerability allowed ...

Ronen Shustin, Check Point

Thu, Jan 30th, 2020

AWS uploaded sensitive data to public GitHub bucket

An AWS employee pushed sensitive data to a public github bucket, including customer information and credentials. Note: This issue is outside the scope of this database's usual criteria for inclusio...

Upguard

Thu, Jan 23rd, 2020

medium

GCP Speech to Text Information Disclosure

GCP's Speech-to-Text "operations/list" and "operations/get" APIs would return data that did not belong to the caller when no parameters were provided. It is unclear whether this was cross-custome...

Dan Maas

Sun, Jan 12th, 2020

View all