from Hacker News

I have gained admin access to numerous GCloud Organizations by accident

by anon223345 on 5/30/23, 1:06 PM with 121 comments

in Google Cloud, you can assign admin, billing, etc to a google group.

Years ago I made a google group for google cloud administration

A company in Spain, a bunch of startups, etc have added that google group (by accident) as an IAM user with varying level of roles attached

I now have billing access to one account, admin access to another, can just hop into the database of at least two of the accounts

I try to reach out to google support but because I don’t have “business” or “enterprise” level support I can’t even submit a ticket

I’m trying to let them know but can’t, they do t do chat, no phone number, even billing contact is an automated chatbot only

GCloud should have like “emergency reach out to a person” link or something

  • by leesalminen on 5/30/23, 3:15 PM

    A few months ago I stumbled upon a bug in a state machine that allowed me to obtain stuff without having to pay for it. It was a weird combination of steps and was kind of hard to explain.

    I submitted a ticket to the support team advising them in painstaking detail the steps needed to reproduce this vulnerability. They could also look at my account and see that I got stuff without paying.

    A couple days later I got a reply from a support manager that my concern wasn’t valid and there was no bug.

    The next week I happened to be at a conference where the company in question was a sponsor. So, I visited their booth and spoke with the VP of Eng. He asked me to forward the ticket to security@. Within 8 hours I got a reply from them saying that they had fixed the bug.

    I guess I’m saying that even if Google let you submit a support ticket it might get ignored because they aren’t trained to deal with security reports.

  • by tazjin on 5/30/23, 3:49 PM

    Ex-Googler here. Try reporting it through the security disclosure program: https://www.google.com/appserve/security-bugs/m2/new

    You can also assume that by virtue of you having posted this here and being on the frontpage, it's probably made it to the internal Google SRE IRC chat by now and someone is trying to find a contact. This almost always works :)

    Maybe edit your OP with a way to contact you, so that someone can reach out.

  • by invalidname on 5/30/23, 3:13 PM

    As a person who paid for Google's "Gold" support. They are less than useless.

    Don't go into these accounts at all. Not even to try and help/contact them. Laws about this are very vague and no one within the ORG would want to admit that they made a mistake by adding you.

  • by elzbardico on 5/30/23, 3:24 PM

    Even if you manage to reach out to Google, I doubt they will do anything like remove your group from those roles. From their POV you could be just trying to social engineer them into removing someone who has legitimate access.

    I think you have better chances contacting people in the org who added your group to those roles.

  • by anon223345 on 5/30/23, 9:12 PM

    Update #2 - they actually responded to my bug bounty request. Seems they think it may be worth fixing but not a big enough deal to pay out a bounty to me. Obviously I’d like the bounty but if I got any recognition that would be awesome

    —- Hi,

    Thanks again for your report.

    I've filed a bug with the responsible product team based on your report. The product team will evaluate your report and decide if a fix is required. We'll let you know if the issue was fixed.

    Regarding our Vulnerability Reward Program: At first glance, it seems this issue is not severe enough to qualify for a reward. However, the VRP panel will take a closer look at the issue at their next meeting. We'll update you once we've come to a decision.

    If you don't hear back from us in 2-3 weeks or have additional information, let us know!

    Regards, Google Security Team

  • by crazygringo on 5/30/23, 4:38 PM

    As other commenters here have noted, a company can't just do this accidentally. If they add an external group, there's a warning message. Because many times it may be a mistake, but there are also many times a company will have a legitimate reason to do so.

    This isn't a bug, it's a feature. If you want to do the right thing, the correct course of action isn't to notify Google, it's to send an e-mail to the companies so they can revoke access to the group. It's not Google's problem.

    Or if you don't want to deal with that and the group isn't used for anything anymore and you still want to be a good citizen, just delete everybody else from the group.

  • by thecarokann on 5/30/23, 3:53 PM

  • by Trencin on 5/30/23, 3:57 PM

    At least twice I have left a review about a Business on Google Maps and ended up as an admin of their business profile. I don't know what's going on with Google.

  • by kevingmccall on 5/30/23, 7:17 PM

    I'm the SRE oncall for Cloud IAM. Can you send me a message on linkedin (link in my profile)? I'll give you my Google corp account email address.

  • by LinuxBender on 5/30/23, 1:14 PM

    As an admin of their group can you see their group admin contact email address? If so maybe they have an enterprise account and can reach a human in Google. I am not a lawyer but there is probably risk in accessing any of their data, audit trails and all.

  • by wheaties on 5/30/23, 3:08 PM

    You are prompted to confirm an external group being added as admin. Someone purposefully ignored it.

    Good luck. You're trying to do the right thing but if they lawyer you, remind them they added you not you added them.

  • by boilerupnc on 5/30/23, 3:43 PM

    I would have thought that being "added" to anything is a two-way confirmation:

    1. One from the party wanting to add the group to their account. Based on a prior comment, sounds like you are prompted to confirm an external group being added as admin.

    2. One from the party administering/owning an external google group being requested to be added. Is there any confirmation here?

    Without the 2nd confirm, I start imagining security exposures in the family of Ransomware - let's call it "RansomAdd". You randomly add external google groups until you get someone to poke around "too much" and then threaten them with legal action unless they pay up. Ugh.

  • by jacobsenscott on 5/30/23, 3:43 PM

    Isn't this a little like reaching out to Linus because someone changed their home directory permission to rwxrwxrwx? It sucks for them, but what could google do?

  • by oaksoul on 5/30/23, 6:22 PM

    I was successful in the past reaching out through this:

    https://issuetracker.google.com/issues/new?component=187161&...

    I was told "issuetracker" generates messages directly to support/engineering teams and they do look into it.

    Submit a "defect" and they will answer.

  • by lopkeny12ko on 5/30/23, 3:58 PM

    Just ignore it move on. There's no winning there. In the worst case, the company may try to file charges against you for computer abuse/fraud. In the best case, an otherwise harmless association is removed from your account. It is impossible to get ahold of anyone at Google if you are not an enterprise customer. Just forget about it and do nothing.

  • by pirsquare on 5/30/23, 6:08 PM

    As usual, the expected Google Clown Platform support.

    FWIW, 3 months ago they shutdown my servers for some minor issue and I'm only able to get them to reactivate after a week.

    Source: https://news.ycombinator.com/item?id=35133917

  • by AtNightWeCode on 5/30/23, 6:26 PM

    Surely there should be a way for an owner of a group to revoke these permissions. I am not familiar with the tech though.

    If it is not too much hassle I would create a new group, switch to it and delete the old one. This is just one of many reasons corps add prefixes to their naming conventions in the cloud.

    I would not go down the path of contacting the companies. You have to see it from their point of view when it comes to security and legal processes. Just because you know that you have not done anything wrong does not mean anything for how they will proceed. They will start from the objectives. Somebody has access to our stuff.

  • by nopoint on 5/30/23, 3:49 PM

    At my previous job i brought credentials leakage to higher ups attention but it went unfixed for a year. Nothing to gain Other than wasting our time.

  • by slowmotiony on 5/30/23, 3:39 PM

    If there's no way to contact them then I'd probably just delete their stuff altogether. What are they gonna do, contact google support? :-)

  • by anon223345 on 5/30/23, 4:59 PM

    UPDATE: I have just submitted a bug bounty request

    That would really help my career and life if I get that!

    I won’t do anything with the accounts I accidentally have access to

  • by darkwater on 5/30/23, 3:52 PM

    Just to better understand, was it a "generic enough" Google Group name that people used its name in the policy thinking they were granting access to their own "google cloud administrators"? Or were people/companies actively part of that Google Group you created?

  • by TurkishPoptart on 6/1/23, 4:33 PM

    I'm surprised anyone would ever use Google Cloud Platform after reading this. No support at all? AWS blows them out of the water because they value customer support, I guess.

  • by anon223345 on 6/1/23, 8:49 PM

    Update #3 Got an honorable mention from Google Bug Hunters

    They said they’re gonna see if it’s worth fixing and will get back to me. They didn’t award a bug bounty, but I’ll take the kudos.

  • by dboreham on 5/30/23, 6:01 PM

    Almost as funny as naming your kid "delete from users".

  • by secondcoming on 5/30/23, 3:32 PM

    Be very careful. Even though you're trying to do The Right Thing don't alert these companies to the fact you've been accessing their accounts without permission.

  • by mikyd1954 on 5/30/23, 3:52 PM

    Not sure what support could do for you that you could not do yourself, ie: undertake to degrade the 'years ago group' and alert responders as needed.

  • by mikyd1954 on 5/30/23, 3:53 PM

    Seems like nothing support could do that you could not do yourself, ie: degrade the 'years ago group' and assist responders as needed.

  • by sir_rob on 5/31/23, 11:37 AM

    Shouldn't you contact the org that added your account? This is much more a config issue / user error than a Google bug.

  • by cookieperson on 5/30/23, 3:34 PM

    Just be careful y'all. Even though something is a bug or a mistake you could get in bigtime shit over it, or a bill.

  • by 0xbadcafebee on 5/30/23, 7:03 PM

    GCloud security is horrible. It's like they designed the whole thing to be insecure by default. Coming from AWS, the amount of permissions they give by default in the most commonly-used roles is insane. They also seem to lack some functionality necessary to make fine-grained access permissions to access some of their advertised features. It's really crazy.

  • by Hamuko on 5/30/23, 3:29 PM

    Ask them to increase "your" GPU quota by 100x. That should surely be enough of a red flag.

  • by yolo3000 on 5/30/23, 4:03 PM

    I think you can reach them on their forum as well, for example https://www.googlecloudcommunity.com/gc/Security/Welcome-to-....

  • by renewiltord on 5/30/23, 3:18 PM

    Perhaps if you have IAM you can see their users and then email them.

  • by we_never_see_it on 5/30/23, 3:20 PM

    I have hard times feeling any sympathy for these companies. When you trust an ad company like Google what did you expect? Maybe Google will shutdown this product and fix the secuity hole in the process.

  • by andrewstuart on 5/30/23, 6:26 PM

    Maybe you could get thousands of dollars big bounty!

  • by gooob on 5/30/23, 1:08 PM

    that is hilarious

  • by throwawayadvsec on 5/30/23, 4:37 PM

    if you have access to the DB, create a collection/table with a warning/contact info

  • by SillyUsername on 5/30/23, 7:28 PM

    Perhaps related to this bug which Google has known about for 12 years, and is potentially in breach of GDPR? https://issuetracker.google.com/issues/35889152

  • by IYasha on 5/30/23, 3:48 PM

    for g in * do wget g; done;