GCP service accounts and projects information leak

Published Wed, Aug 26th, 2020


It was possible to list IAM service accounts of any GCP project, given only its ID, by forging a pageToken for the projects.serviceAccounts.list method of the IAM API. Due to the design of certain services in GCP, this issue could lead to exposure of sensitive information related to a project, and could be further used to enumerate unsecured resources in the platform, such as App Engine apps, Container Registry repositories, etc.

Affected Services

IAM, Projects


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Sat, Aug 8th, 2020
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Ezequiel Pereira