Blogs on *.googleblog.com are hosted on blogspot.com and uploaded images are hosted on Blogspot’s CDN. However, The Keyword (blog.google) and Google Cloud blog use a custom platform for their blogs.
Images on these blogs are stored in Google Cloud Storage buckets:
Google Cloud Storage is an IaaS file storage service on the Google Cloud Platform and can allow us to access the resources via an URL on the web.
Accessing the buckets
We can access the bucket in the browser using one of those URLs:
and adding the filename at the end of the URL.
The Keyword Blog
However, if we try to access the first Cloud Bucket in the browser, it shows that we don’t have permission to list the uploaded items.
<?xml version="1.0" encoding="UTF-8"?> <Error> <Code>AccessDenied</Code> <Message>Access denied.</Message> <Details>Anonymous caller does not have storage.objects.list access to the Google Cloud Storage bucket.</Details> </Error>
That’s because public listing of uploaded items is disabled by default.
Google Cloud Blog
But if we try to access the second bucket, it returns the list of all uploaded items in the bucket.
<?xml version="1.0" encoding="UTF-8"?> <ListBucketResult xmlns="http://doc.s3.amazonaws.com/2006-03-01"> <Name>gweb-cloudblog-publish</Name> <Prefix /> <Marker /> <NextMarker>images/100-announcements-12_T3T5Cv5.max-300x300.png</NextMarker> <IsTruncated>true</IsTruncated> <Contents> <Key>images/-02-MAIN-Dublin.2e16d0ba.fill-1000x347.jpg</Key> <Generation>1529607698661849</Generation> <MetaGeneration>1</MetaGeneration> <LastModified>2018-06-21T19:01:38.661Z</LastModified> <ETag>"fbce0d28ed561e2248946ca8763de8ad"</ETag> <Size>156772</Size> </Contents> <Contents> <Key>images/-02-MAIN-Dublin.2e16d0ba.fill-1000x563.jpg</Key> <Generation>1529607698725002</Generation> <MetaGeneration>1</MetaGeneration> <LastModified>2018-06-21T19:01:38.724Z</LastModified> <ETag>"a22b9d844cb2ade708ce4166f7d4797e"</ETag> <Size>259746</Size> </Contents> <Contents> <Key>images/-02-MAIN-Dublin.2e16d0ba.fill-100x100.jpg</Key> <Generation>1529607698808132</Generation> <MetaGeneration>1</MetaGeneration> <LastModified>2018-06-21T19:01:38.807Z</LastModified> <ETag>"ec3c2c4d8bff33d050e251a40a7ee52d"</ETag> <Size>7264</Size> </Contents> … </ListBucketResult>
Why did this happen? This bucket had public view permissions added for everyone.
Since the Storage Object Viewer (
roles/storage.objectViewer) permission (or
roles/storage.legacyBucketReader) has been added for allUsers, it allowed anyone to view and list items stored in the bucket.
Storage Object Viewer
Grants access to view objects and their metadata, excluding ACLs.
Can also list the objects in a bucket.
The bucket was accessible to the public and included all uploaded images on the Google Cloud Blog, including images in draft blog posts.
Getting access to images that have not been published yet could have resulted in a leak of confidential information, for example, upcoming Google Cloud products or features.
10.04.2019: Vulnerability reported
10.04.2019: Priority changed to P2
10.04.2019: Looking into it
12.04.2019: Filed a bug
16.04.2019: Reward issued
24.04.2019: Marked as fixed