Google Cloud Document AI flaw (still) allows data theft despite bounty payout
Chocolate Factory downgrades risk, citing the need for attacker access
Updated Overly permissive settings in Google Cloud's Document AI service could be abused by data thieves to break into Cloud Storage buckets and steal sensitive information.
This, according to threat detection and response company Vectra AI and its principal security researcher Kat Traxler, who says that despite eventually receiving a bug bounty from Google for the find, the cloud giant has yet to fix the misconfiguration, meaning that this attack vector is still wide open.
The whole vulnerability reporting process was a bit of a mess. Traxler reported the flaw in early April, but Google initially determined that the documentation was "insufficient" to pay a bounty for the find. Then later, they changed course and awarded the bug hunter $3133.70 for her reporting — and marked the status as "fixed," while Traxler contends it's still a problem.
Google did not immediately respond to The Register's inquiries.
"Attackers are as sophisticated as they need to be," Traxler told The Register, when asked about the likelihood of the issue being abused in real-world attacks.
"If an environment is immature, with broad access to data commonly and easily found, leveraging this flaw in Document AI is unnecessary," she said. "However, in hardened environments that adhere more strictly to least privilege, leveraging the Document AI service to exfiltrate data would both align with an attacker's motivation and might be the easiest path towards accomplishing goals."
Traxler detailed this attack in research published Monday alongside a proof-of-concept (POC) demonstrating how she bypassed Document AI's access controls, swiped a PDF from a source Google Cloud Storage bucket, altered the file and then returned it.
The issue exists in Document AI, a Google Cloud service that uses machine learning to extract information from documents and aims to make it easier and faster for businesses to analyze and process large numbers of documents. Customers can use either pre-trained models or create their own, and they can process documents stored in Google Cloud Storage via both standard (online) job or batch (offline) processing.
During batch processing, the service uses a Google-managed service account called a service agent. It's used as the identity in batch processing, and it ingests the data and outputs the results.
Therein lies the problem, according to Traxler. The pre-set service agent permissions are too broad, and in batch-processing mode the service uses the service agent's permissions, not the caller's permissions.
The permissions granted to the service agent allow it to access any Google Cloud Storage bucket within the same project, thus allowing the service to move data that the user normally wouldn't have access to.
- Poking holes in Google tech bagged bug hunters $10M
- Google splats device-hijacking exploited-in-the-wild Android kernel bug among others
- Microsoft confirms IE bug squashed in Patch Tuesday was exploited zero-day
- ZDI shames Microsoft for – yet another – coordinated vulnerability disclosure snafu
"This capability enables a malicious actor to exfiltrate data from GCS to an arbitrary Cloud Storage bucket, bypassing access controls and exfiltrating sensitive information," Traxler wrote. "Leveraging the service (and its identity) to exfiltrate data constitutes transitive access abuse, bypassing expected access controls and compromising data confidentiality."
Traxler reported the data exfiltration issue to Google's Vulnerability Reward Program on April 4. After some back-and-forth, all of which is detailed in the Vectra write-up, the VPR ultimately determined on May 7 that the "security impact of this issue does not meet the bar for a financial reward." Instead, Traxler earned an honorable mention.
On June 7, Google changed the status of the bug to "fixed." That same month, Traxler disputed the finding, then in early July, sent a POC to Google, along with the following message:
The point that needs to be hammered home is the principal who can process (or batch process) documents with Document AI does not need to have Storage permissions to access data in Cloud Storage and move to another location (data exfiltration)[.] This is achieved due to the permissions assigned to the Document AI P4SA (roles/documentaicore.serviceAgent). I recommend that Document AI be assigned a user-manage service account for its data processing, similar to Cloud Workflows. Allowing the P4SA to move user-defined data is not the correct pattern and has led to a data exfiltration vulnerability. Please change the status of this issue to indicate it has not been fixed. Public disclosure will occur at a high-profile event in September 2024.
Later in July, Traxler reminded the bug bounty team that she would be demonstrating the data-stealing risk from Document AI at fwd:cloudsec Europe 2024 happening today, and in August, again, suggested changing the status since, she maintains, the issue is still not fixed.
On September 9, Traxler received word that VRP did decide to issue her a reward of $3133.70 for her disclosure.
"Congratulations! Rationale for this decision: Normal Google Applications. Vulnerability category is 'bypass of significant security controls,' other data/systems," according to the timeline published in the Vectra telling. "We applied a downgrade because the attacker needs to have an access to an impacted victim's project."
Again, The Register has reached out to Google for their side of the story, and hopes to be able to include comments soon. ®
Updated to add on September 18
A Google spokesperson has told us in response to the above:
We created our Vulnerability Rewards Program specifically to identify and fix vulnerabilities like this one. We are appreciative of the researcher and the broader security community’s participation in these programs.
We developed a fix and are actively working to roll it out.