Public Bucket Allowed Access to Images on Upcoming Google Cloud Blog Posts

Google has multiple different official blogs (for example,, or

Blogs on * are hosted on and uploaded images are hosted on Blogspot’s CDN. However, The Keyword ( and Google Cloud blog use a custom platform for their blogs.

Images on these blogs are stored in Google Cloud Storage buckets:



Google Cloud Storage is an IaaS file storage service on the Google Cloud Platform and can allow us to access the resources via an URL on the web.

Accessing the buckets

We can access the bucket in the browser using one of these URLs:

  •<bucket name>/
  • https://<bucket name>
  •<bucket name>/
  •<bucket name>/

and adding the filename at the end of the URL.

The Keyword Blog

However, if we try to access the first Cloud Bucket in the browser, it shows that we don’t have permission to list the uploaded items.

<?xml version="1.0" encoding="UTF-8"?>
    <Message>Access denied.</Message>
    <Details>Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket.</Details>

That’s because public listing of uploaded items is disabled by default.

Google Cloud Blog

But if we try to access the second bucket, it returns the list of all uploaded items in the bucket.

<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="">
   <Prefix />
   <Marker />

Why did this happen? This bucket had public view permissions added for everyone.

Since the Storage Object Viewer (roles/storage.objectViewer) permission (or roles/storage.legacyBucketReader) has been added for allUsers, it allowed anyone to view and list items stored in the bucket.

Storage Object Viewer

Grants access to view objects and their metadata, excluding ACLs.
Can also list the objects in a bucket.


The bucket was accessible to the public and included all uploaded images on the Google Cloud Blog, including images in draft blog posts.

Getting access to images that have not been published yet could have resulted in a leak of confidential information, for example, upcoming Google Cloud products or features.

2019-04-10Vulnerability reported
2019-04-10Priority changed to P2
2019-04-10Looking into it
2019-04-12Filed a bug
2019-04-16Reward issued
2019-04-24Marked as fixed

Written by Thomas Orlita
Follow me on Twitter: @ThomasOrlita / Mastodon: