Bypassing authorization in Google Cloud Workstations

Summary

Several vulnerabilities were present in how Google Cloud Shell (ssh.cloud.google.com) handled OAuth credentials. These included an open-redirect vulnerability, where attackers could redirect users to malicious sites to capture their credentials, and a validation bypass that allowed tokens to be submitted to user-defined URIs, circumventing normal security checks. Additionally, Google Cloud Workstations did not correctly tie the state parameter to the session that generated it, which allowed valid state parameters to be reused across different sessions and users. Combined, these issues created a scenario where credentials to Google Cloud Workstations were susceptible to phishing attacks.

Affected Services

Cloud Workstations, Cloud Shell

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Contributed by https://github.com/KatTraxler