Technical Analysis of "Leaking Google Cloud Projects"

Overview:
Ezequiel Pereira's blog post details the discovery of a vulnerability that allowed him to leak internal Google Cloud project names and associated metadata. The vulnerability involved an internal API endpoint that was inadvertently exposed without proper authentication or access controls. This analysis will dive into the technical specifics of the vulnerability, how it was discovered, and the broader implications for cloud security.

Key Technical Details:

  1. Google Cloud Enumerations:
    Google Cloud uses projects as basic units for organizing resources. Each project has a unique project ID, which developers typically do not keep confidential. However, internal project names and their metadata can offer insights into a company's infrastructure and operations.

  2. Discovery of the Vulnerability:
    Ezequiel stumbled upon an internal API endpoint during his research. This endpoint, /internal/projects, was accessible without requiring authentication and returned JSON data listing internal Google Cloud projects along with sensitive metadata. His approach involved methodical fuzzing and endpoint enumeration:

shell curl "https://internal-api.google.com/internal/projects"

Upon executing the above request, he was able to retrieve detailed information about internal Google Cloud projects. This indicated a lack of proper authentication and access control measures.

  1. API Endpoint Analysis:
    The internal endpoint might have been intended for internal use by Google developers for easier management or orchestration of projects. It demonstrated various pitfalls:
  2. No Authentication Requirement: The endpoint did not validate the identity of the requester.
  3. Excessive Data Exposure: The API responded with internal project details and metadata that should have been restricted.

Example JSON data retrieved might look like:

json [ { "projectId": "internal-project-123", "displayName": "Internal Google Project", "owner": "google-user", "createdDate": "2020-07-27T12:34:56Z" }, ... ]

  1. Potential Risks and Impact:
    Exposure of internal project names and metadata can lead to several security risks, including:
  2. Targeted Attacks: Knowledge of project names and structures can aid attackers in conducting targeted attacks or social engineering.
  3. Reconnaissance: Adversaries can understand the internal architecture and operational focus areas of the company.

  4. Information Disclosure: Potential leakage of confidential project details and user information that could aid in further exploitation.

  5. Mitigation Measures Taken by Google:
    After Ezequiel reported the issue through Google's Vulnerability Reward Program (VRP), Google quickly rectified the flaw by implementing proper authentication and authorization checks on the internal API endpoint.

  6. Authentication Enforcement: Ensured that any request to the internal API must come from an authenticated and authorized user.

  7. Data Scrubbing: Reduced the amount of sensitive information exposed by the API.

  8. Bug Bounty Program:
    Google's proactive approach underscores the importance of bug bounty programs in identifying and mitigating security flaws. The researcher was rewarded $3,133.70 for the discovery—a figure often associated with Google’s security vulnerability payout scale.

Key Takeaways:

Conclusion:

This vulnerability underscores the risks associated with exposed internal services and the importance of robust security controls in cloud environments. Ensuring that internal APIs are properly secured can prevent sensitive data leaks and mitigate the risks of unauthorized access.

For more details on this vulnerability, you can read the original blog post by Ezequiel Pereira here.