A security researcher has recently found a flaw in Google Cloud Project that allows for SSRF attacks. The researcher won a hefty bounty for reporting the flaw and the subsequent patch bypass.
Google Cloud Project SSRF Flaw
Through a recent blog post, security researcher David Schütz has explained how an SSRF flaw riddled Google Cloud Project.
As elaborated, he found this vulnerability while analyzing “Discovery Documents” for Google API services where “Jobs API” caught his attention. Tracing it further made him reach the Google Engine App that serves as a proxy to provide API access. However, while this proxy blocked access to Google’s internal resources, a whitelisting bypass existed to override this security mechanism.
Describing the actual vulnerability, the researcher stated in the post,
Access Token for internal GCP project “cxl-services” (with scopes “
https://www.googleapis.com/auth/cloud-platform“) can be leaked using a URL whitelist bypass on
Regarding the impact of this SSRF flaw upon an exploit, the researcher noted,
An anonymous attacker could exploit the URL validation vulnerability, and steal the access token the
cxl-services.appspot.comApp Engine app is sending.
Using this access token, the attacker could access resources on GCP projects
Consequently, such exploitation would allow taking over the App Engine app and GKE cluster (used by
docai-demo) to steal contents of demo API requests and return malicious responses. Similarly, such attacks would also permit privilege escalation to access internal Google Cloud resources.
The researcher has elaborated the details of his findings in the following video.
Google Deployed The Fix
According to the emails the researcher shared in his post, he immediately notified Google of the flaw right after discovery. Consequently, Google acknowledged his findings and started working on a fix. Whereas the tech giant rewarded the researcher with a $4133.70 bounty for the bug report.
However, upon testing the fix deployed by Google, the researcher could bypass it all over. Hence, this new finding earned him another $3133.70 bounty.
While the subsequent fix addressed the bypass, a few months later, the researcher again reached out to Google upon finding the old vulnerable versions on the AppEngine app. Eventually, while addressing this matter, Google rewarded him with another $3133.70 bounty for the report.