Post

Misconfigured GCP Storages disclosed sensitive data to the public

Posted Updated
Preview Image
By Ophion Security 4 min read

In December, we identified and reported misconfigurations on numerous sensitive Google Cloud storage buckets that contained millions of sensitive user data. In this disclosure, we will share data on what information was disclosed and who was affected.

Similar to Amazon Web Services’s (AWS) S3 service, Google Cloud Platform (GCP) provides a storage service known as Cloud Storage service. In December 2022, we identified several sensitive GCP Storages that allowed accessing and listing files without any form of authentication. Upon identification, we reported the security issues to affected organizations. In this blog, we will highlight some of the issues identified.

Note: The vulnerabilities identified in the following sections have now been patched

1M+ email attachments disclosed via GSuite Workspace App

GSuite provides a marketplace (https://workspace.google.com/marketplace)) for individual users and administrators to install plugins and add-ons. These add-ons make it easier for users to integrate into third-party systems and add additional features to their applications such as PDF signatures, Email Campaigns and more.

One of the plugins provided an email to Google Drive feature. The plugin at the time of the writing has been installed more than 1.3 million times. Users could provide an email to their customers who could then send attachments to the email address. The service will then upload those files directly to the user’s Google Drive. However, for the sake of efficiency, the service would store the attachments in its own storage bucket. This storage bucket was publicly accessible and listed all the attachments sent by the users. Disclosed information included but was not limited to:

  1. Bank statements uploaded by and to banks and mortgage companies.
  2. Background check export ran by companies on new hires.

Getting this issue fixed took some extra time:

  1. December 03, 2022 - Issue identified and reported to Google to see if they can reach out to the developer.
  2. December 06, 2022 - Google recommended we reach out to the developer directly. We identified an email address and reported the issue to the developer.
  3. December 19, 2022 - No response was received from the developer. We reached back to Google on next steps.
  4. January 05, 2023 - We internally confirmed the fix

100,000+ customer information disclosed via invoices

We identified a GCP storage bucket for a popular third-party Shopify app. This app created a copy of stores’ invoices and stored those as a PDF format in the storage bucket. Since the bucket had directory listing enabled and the files did not need any form of authentication, it was possible to download all available invoices. Timeline of disclosure:

  1. December 02, 2022 - Issue identified and reported to Shopify via their security email.
  2. December 06, 2022 - Confirmed fix internally in our tracker.
  3. December 12, 2022 - Received confirmation from Shopify that the developers have fixed the directory listing.

100,000+ Live chat logs disclosed through a LiveChat vendor

Live chat features in websites are common. From PayPal to banks to large enterprise organizations, live chat helps resolve customer problems with ease. However, most live chat features are integrated with third-party vendors that further integrate the chat systems to support systems. We identified a popular live chat vendor who stored exported chat logs (from admin side) in a storage bucket. Following information was disclosed on the logs:

  1. First message by the user
  2. User filled out PII: Name, Email, IP address (from analytics) and Address
  3. Agent information on who responded

We had hard time finding the proper contact for this vendor regardless of their large customer base. To make sure the vulnerability was patched, we reported this to Cybersecurity and Infrastructure Security Agency (CISA)’s incident report email address. Disclosure window:

  1. November 27, 2022 - Vulnerability identified and reported to CISA.
  2. December 01, 2022 - Vulnerability internally confirmed to be patched.
  3. December 12, 2022 - Even though we did not expect to hear back, we got a response from CISA confirming that the vendor had confirmed the vulnerability was patched.

Conclusion

Leaky storage buckets are common and impact businesses and customers every year. It is important for businesses and developers to understand how features like AWS S3 and GCP Storage work and how files are made accessible to all. The vulnerabilities shared in this blog are not the only incidents of disclosed data in 2022. However, we hope this helps raise further awareness in the risks associated with such configurations.

Vulnerability, Research
disclosure security research google cloud devsecops misconfiguration
This post is licensed under CC BY 4.0 by the author.