medium

GCP service accounts and projects information leak

Published Wed, Aug 26th, 2020

Platforms

Summary

It was possible to list IAM service accounts of any GCP project, given only its ID, by forging a pageToken for the projects.serviceAccounts.list method of the IAM API. Due to the design of certain services in GCP, this issue could lead to exposure of sensitive information related to a project, and could be further used to enumerate unsecured resources in the platform, such as App Engine apps, Container Registry repositories, etc.

Affected Services

IAM, Projects

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.html

Contributed by https://github.com/mer-b

Disclosure Date

Sat, Aug 8th, 2020

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Ezequiel Pereira

More vulnerabilities...

low

S3 Crypto SDK vulnerabilities

Sophie Schmieg, Google

Mon, Aug 10th, 2020

low

CloudTrail S3 data events leak bucket Account ID

Using CloudTrail S3 data events, it was possible to determine the AWS account ID of any existing S3 bucket by calling any S3 API, getting denied, and looking at the value in the resource key in err...

Jonathan Rault, TrustOnCloud

Mon, Jul 27th, 2020

low

XSS on EC2 web console

Display of EC2 tags had XSS

Johann Rehberger

Wed, Jul 1st, 2020

View all