Public Bucket Allowed Access to Images on Upcoming Google Cloud Blog Posts

Google has multiple different official blogs (for example blog.google, firebase.googleblog.com, or cloud.google.com/blog).

Blogs on *.googleblog.com are hosted on blogspot.com and uploaded images are hosted on Blogspot’s CDN. However, The Keyword (blog.google) and Google Cloud blog use a custom platform for their blogs.

Images on these blogs are stored in Google Cloud Storage buckets:

https://storage.googleapis.com/gweb-uniblog-publish-prod/

and

https://storage.googleapis.com/gweb-cloudblog-publish/

respectively.

Google Cloud Storage is an IaaS file storage service on the Google Cloud Platform and can allow us to access the resources via an URL on the web.

Accessing the buckets

We can access the bucket in the browser using one of those URLs:

  • https://storage.googleapis.com/<bucket name>/
  • https://<bucket name>.storage.googleapis.com/
  • https://storage.cloud.google.com/<bucket name>/

and adding the filename at the end of the URL.

The Keyword Blog

However, if we try to access the first Cloud Bucket in the browser, it shows that we don’t have permission to list the uploaded items.

<?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>AccessDenied</Code>
    <Message>Access denied.</Message>
    <Details>Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket.</Details>
</Error>

That’s because public listing of uploaded items is disabled by default.

Google Cloud Blog

But if we try to access the second bucket, it returns the list of all uploaded items in the bucket.

<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://doc.s3.amazonaws.com/2006-03-01">
   <Name>gweb-cloudblog-publish</Name>
   <Prefix />
   <Marker />
   <NextMarker>images/100-announcements-12_T3T5Cv5.max-300x300.png</NextMarker>
   <IsTruncated>true</IsTruncated>
   <Contents>
      <Key>images/-02-MAIN-Dublin.2e16d0ba.fill-1000x347.jpg</Key>
      <Generation>1529607698661849</Generation>
      <MetaGeneration>1</MetaGeneration>
      <LastModified>2018-06-21T19:01:38.661Z</LastModified>
      <ETag>"fbce0d28ed561e2248946ca8763de8ad"</ETag>
      <Size>156772</Size>
   </Contents>
   <Contents>
      <Key>images/-02-MAIN-Dublin.2e16d0ba.fill-1000x563.jpg</Key>
      <Generation>1529607698725002</Generation>
      <MetaGeneration>1</MetaGeneration>
      <LastModified>2018-06-21T19:01:38.724Z</LastModified>
      <ETag>"a22b9d844cb2ade708ce4166f7d4797e"</ETag>
      <Size>259746</Size>
   </Contents>
   <Contents>
      <Key>images/-02-MAIN-Dublin.2e16d0ba.fill-100x100.jpg</Key>
      <Generation>1529607698808132</Generation>
      <MetaGeneration>1</MetaGeneration>
      <LastModified>2018-06-21T19:01:38.807Z</LastModified>
      <ETag>"ec3c2c4d8bff33d050e251a40a7ee52d"</ETag>
      <Size>7264</Size>
   </Contents>
   …
</ListBucketResult>

Why did this happen? This bucket had public view permissions added for everyone.

Since the Storage Object Viewer (roles/storage.objectViewer) permission (or roles/storage.legacyBucketReader) has been added for allUsers, it allowed anyone to view and list items stored in the bucket.

Storage Object Viewer

Grants access to view objects and their metadata, excluding ACLs.
Can also list the objects in a bucket.

Impact

The bucket was accessible to the public and included all uploaded images on the Google Cloud Blog, including images in draft blog posts.

Getting access to images that have not been published yet could have resulted in a leak of confidential information, for example, upcoming Google Cloud products or features.

Timeline:

10.04.2019: Vulnerability reported
10.04.2019: Priority changed to P2
10.04.2019: Looking into it
12.04.2019: Filed a bug
16.04.2019: Reward issued
24.04.2019: Marked as fixed

ThomasOrlita.com
Follow me on Twitter: @ThomasOrlita