Security experts found a major bug in Google Cloud

Google Cloud
(Image credit: Google Cloud)

Security experts SADA claimed to have found a severe vulnerability in the Google Cloud Platform which has since been patched by the tech giant. 

Known as Asset Key Theft, the vulnerability would have potentially allowed threat actors to steal the private keys of Google Cloud Service Accounts. In a statement, SADA said it believed the flaw "would have given attackers a persistent and reliable method for abusing a Google Cloud environment."

SADA notified Google of the issue in its cloud hosting business via its Bug Hunters bounty program, where researchers can alert the tech giant to flaws they find in its products in a safe and secure manner.

API flaw

SADA believed that the issue was critical "due to the permission’s commonality with third-party cloud security tools, such as Cloud Security Posture Management (CSPM) tools, to gather cloud inventory data from the API."

The flaw was found in the Google Cloud Platform API known as the Cloud Asset Inventory API. It affected all Google Cloud users who had enabled this API and who had cloudasset.assets.searchAllResources permissions on the applicable Google Cloud environment were exposed to this vulnerability.

Once SADA reported this to Google, it reproduced the error itself to confirm its existence, before patching the vulnerability. SADA warns, however, that customers still may have been impacted by it, and the threat may have persisted after the patch.

“Supporting our customers as they transform their organizations in the cloud means constant vigilance when it comes to security,” says SADA CTO Miles Ward. “No public cloud is immune from vulnerabilities, and we all must act fast, collaborate openly, and communicate transparently when we spot a vulnerability."

"We commend Google Cloud for how quickly and thoroughly they responded when we brought this bug to their attention. We’re proud of the work SADA’s engineers put into ensuring that our customers’ data remains safe."

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.