In March, Schütz discovered that a URL allow-list bypass could be used to leak the access token for the internal Google Cloud Platform (GCP) project “cxl-services.”
A user in possession of the access token could then elevate privileges on other internal Google Cloud projects (docai-demo, garage-staging, and p-jobs), could access Google Compute instances, and even completely take over cxl-services.appspot.com.
The leaked access token, Schütz notes, appears to provide a user with full access to the App Engine app cxl-services.appspot.com, which proxies demo API requests on Google Cloud product pages.
