medium

GCP service accounts and projects information leak

Published Wed, Aug 26th, 2020

Platforms

Summary

It was possible to list IAM service accounts of any GCP project, given only its ID, by forging a pageToken for the projects.serviceAccounts.list method of the IAM API. Due to the design of certain services in GCP, this issue could lead to exposure of sensitive information related to a project, and could be further used to enumerate unsecured resources in the platform, such as App Engine apps, Container Registry repositories, etc.

Affected Services

IAM, Projects

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.html

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Sat, Aug 8th, 2020

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Ezequiel Pereira

More vulnerabilities...

high

Google Cloud Shell Bugs Expose User Credentials

Three vulnerabilities in Google Cloud Shell were discovered, allowing attackers to execute arbitrary code and potentially steal user credentials. The bugs affected Ruby gemspec parsing, TypeScript ...

David DworkenAug 18, 2020

critical

Dropping a Shell in Google Cloud SQL

Researchers discovered vulnerabilities in Google Cloud SQL that allowed gaining unauthorized shell access to MySQL instances. By chaining SQL injection, parameter injection in mysqldump, and networ...

Ezequiel Pereira and Wouter...Aug 18, 2020

low

S3 Crypto SDK vulnerabilities

Sophie Schmieg, GoogleAug 10, 2020

View all