Hacker find Remote Code Execution bug in Google Cloud service, gets $31,000 as bug bounty


This hacker found a remote code execution vulnerability in Google Cloud gslbTarget and got $31,337 from Google

A neat way to make money! A security researcher from South America was awarded $31,337 as a bug bounty reward by Google for finding a remote code execution bug in the Google Cloud.

The researcher, Exequiel Pereira found that he could manipulate the gslbTarget request to the Google Cloud Deployment Manager.

Pereira is a student of Universidad de la República, Montevideo, Uruguay, and an information security enthusiast according to his Linkedin bio. He is also an expert on finding bugs in Google deployments going by his past record.

Periera explains his blog post that he discovered a flaw in Google Cloud Deployment Manager which could be used for remote code execution. He managed to infiltrate the secure APIs such as issuetracker.corp.googleapis.com using the gslbTarget parameter.

Periera contacted Google with his find and the search giant appreciated his effort. He was paid a bug bounty of $31,337 as the RCE bug in Google Cloud was critical and could have exposed the internal infrastructure of Google to any potential hacker if left unpatched.

Based on Pereira’s proof of concept, Google Cloud issued an immediate fix to the security vulnerability on May 7th.

For the uninitiated, the Google Cloud Deployment Manager used by Google cloud users to create, deploy, and manage cloud resources. All Google cloud properties can be accessed through Google Cloud Deployment Manager dashboard.

Pereira’s find could have allowed any potential hacker to craft Type Providers such that the Deployment Manager issues requests to internal Google endpoint and execute code remotely. The vulnerability basically is due to delegation of powers by GSLB endpoints.

If service A makes a request with service B on behalf of user C, the authorization of user C is checked. If there are no credentials for C, then the authorization of A is checked instead.

A now has full authority due to this delegation of powers and can misuse these powers for remote code execution.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments