Overly permissive settings in Google Cloud’s Document AI service could be abused by data thieves to break into Cloud Storage buckets and steal sensitive information.
This, according to threat detection and response company Vectra AI and its principal security researcher Kat Traxler, who says that despite eventually receiving a bug bounty from Google for the find, the cloud giant has yet to fix the misconfiguration, meaning that this attack vector is still wide open.
The whole vulnerability reporting process was a bit of a mess. Traxler reported the flaw in early April, but Google initially determined that the documentation was “insufficient” to pay a bounty for the find. Then later, they changed course and awarded the bug hunter $3133.70 for her reporting — and marked the status as “fixed,” while Traxler contends it’s still a problem.
Google did not immediately respond to The Register‘s inquiries.
“Attackers are as sophisticated as they need to be,” Traxler told The Register, when asked about the likelihood of the issue being abused in real-world attacks.Â
“If an environment is immature, with broad access to data commonly and easily found, leveraging this flaw in Document AI is unnecessary,” she said. “However, in hardened environments that adhere more strictly to least privilege, leveraging the Document AI service to exfiltrate data would both align with an attacker’s motivation and might be the easiest path towards accomplishing goals.”
Traxler detailed this attack in research published Monday alongside a proof-of-concept (POC) demonstrating how she bypassed Document AI’s access controls, swiped a PDF from a source Google Cloud Storage bucket, altered the file and then returned it.
The issue exists in Document AI, a Google Cloud service that uses machine learning to extract information from documents and aims to make it easier and faster for businesses to analyze and process large numbers of documents. Customers can use either pre-trained models or create their own, and they can process documents stored in Google Cloud Storage via both standard (online) job or batch (offline) processing.
During batch processing, the service uses a Google-managed service account called a service agent. It’s used as the identity in batch processing, and it ingests the data and outputs the results.Â
Therein lies the problem, according to Traxler. The pre-set service agent permissions are too broad, and in batch-processing mode the service uses the service agent’s permissions, not the caller’s permissions.Â
The permissions granted to the service agent allow it to access any Google Cloud Storage bucket within the same project, thus allowing the service to move data that the user normally wouldn’t have access to.
“This capability enables a malicious actor to exfiltrate data from GCS to an arbitrary Cloud Storage bucket, bypassing access controls and exfiltrating sensitive information,” Traxler wrote. “Leveraging the service (and its identity) to exfiltrate data constitutes transitive access abuse, bypassing expected access controls and compromising data confidentiality.”
Traxler reported the data exfiltration issue to Google’s Vulnerability Reward Program on April 4. After some back-and-forth, all of which is detailed in the Vectra write-up, the VPR ultimately determined on May 7 that the “security impact of this issue does not meet the bar for a financial reward.” Instead, Traxler earned an honorable mention.
On June 7, Google changed the status of the bug to “fixed.” That same month, Traxler disputed the finding, then in early July, sent a POC to Google, along with the following message:
Later in July, Traxler reminded the bug bounty team that she would be demonstrating the data-stealing risk from Document AI at fwd:cloudsec Europe 2024 happening today, and in August, again, suggested changing the status since, she maintains, the issue is still not fixed.
On September 9, Traxler received word that VRP did decide to issue her a reward of $3133.70 for her disclosure.
“Congratulations! Rationale for this decision: Normal Google Applications. Vulnerability category is ‘bypass of significant security controls,’ other data/systems,” according to the timeline published in the Vectra telling. “We applied a downgrade because the attacker needs to have an access to an impacted victim’s project.”
Again, The Register has reached out to Google for their side of the story, and hopes to be able to include comments soon. ®