Security experts SADA claimed to have found a severe vulnerability in the Google Cloud Platform which has since been patched by the tech giant.
Known as Asset Key Theft, the vulnerability would have potentially allowed threat actors to steal the private keys of Google Cloud Service Accounts. In a statement (opens in new tab), SADA said it believed the flaw “would have given attackers a persistent and reliable method for abusing a Google Cloud environment.”
SADA notified Google of the issue in its cloud hosting business via its Bug Hunters (opens in new tab) bounty program, where researchers can alert the tech giant to flaws they find in its products in a safe and secure manner.
API flaw
SADA believed that the issue was critical “due to the permission’s commonality with third-party cloud security tools, such as Cloud Security Posture Management (CSPM) tools, to gather cloud inventory data from the API.”
The flaw was found in the Google Cloud Platform API known as the Cloud Asset Inventory API. It affected all Google Cloud users who had enabled this API and who had cloudasset.assets.searchAllResources permissions on the applicable Google Cloud environment were exposed to this vulnerability.
Once SADA reported this to Google, it reproduced the error itself to confirm its existence, before patching the vulnerability. SADA warns, however, that customers still may have been impacted by it, and the threat may have persisted after the patch.
“Supporting our customers as they transform their organizations in the cloud means constant vigilance when it comes to security,” says SADA CTO Miles Ward. “No public cloud is immune from vulnerabilities, and we all must act fast, collaborate openly, and communicate transparently when we spot a vulnerability.”
“We commend Google Cloud for how quickly and thoroughly they responded when we brought this bug to their attention. We’re proud of the work SADA’s engineers put into ensuring that our customers’ data remains safe.”