medium

Impersonate GCP Organization Through the Organizations Update Method

Published Sun, Jan 20th, 2019

Platforms

Summary

A GCP Organizations name could be changed through the (deprecated) organizations.update method in the Resource Manager, even though the documentation said the "displayName" was read-only. With this, I could have my own organization and name it as another one and confuse users: - Rename an organization "<IMPORTANT-COMPANY>.com" - Share it with "domain:<IMPORTANT-COMPANY>.com" (Effectively sharing it with every Google user with a @<IMPORTANT-COMPANY>.com account) - Profit from unsuspecting users creating resources in my organization, specially billing accounts or building projects that manage sensible information.

Affected Services

GCP Organizations

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.ezequiel.tech/2019/01/75k-google-cloud-platform-organization.html

Contributed by https://github.com/KatTraxler

Entry Status

Finalized

Disclosure Date

Thu, Nov 29th, 2018

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Ezequiel Pereira

More vulnerabilities...

medium

Azure Cloud Shell terminal escape

If attacker controlled data is viewed in Cloudshell it could have led to code execution. This exact same issue was later discovered in AWS as well.

Felix Wilhelm, GoogleJan 9, 2019

low

Resource policy confused deputy issue with services

Resource policies lacked a way of restricting service access to only your own account, allowing an attacker to leverage a service to potentially access your resources. Originally discovered by Dan ...

Dan Peebles, BridgewaterNov 28, 2018

medium

Launching EC2s did not require specifying AMI owner

Attackers had put malicious AMIs in the marketplace to abuse the CLI''s way of selecting what AMI to use. Although the concept of planting malicious AMIs had existed for a while (ex. in the 2009 p...

Megan MarshAug 13, 2018

View all