image credit: Unsplash

Researcher Awarded $10,000 for Google Cloud Platform Vulnerability

In March, Schütz discovered that a URL allow-list bypass could be used to leak the access token for the internal Google Cloud Platform (GCP) project “cxl-services.”

A user in possession of the access token could then elevate privileges on other internal Google Cloud projects (docai-demo, garage-staging, and p-jobs), could access Google Compute instances, and even completely take over

The leaked access token, Schütz notes, appears to provide a user with full access to the App Engine app, which proxies demo API requests on Google Cloud product pages.

Read More on Security Week