A vulnerability known as Asset Key Theft that has the potential of allowing threat actors to steal private keys of Google Cloud Service Accounts has been discovered by security experts at SADA. In an official statement, SADA said: “The flaws would have given attackers a persistent and reliable method for abusing a Google Cloud environment”.
The flaw was located in the Cloud Asset Inventory API of the Google Cloud Platform and affected all users who had enabled this API and had cloudasset.asset.searchAllResources permissions. This means that many customers who utilised this service may have had their sensitive information compromised.
Google was quick to patch the flaw when notified by SADA through its Big Hunters bounty program, where researchers can alert the tech giant of flaws they find in any of its products safely and securely. SADA included that the issue was critical due to the permission’s commonality with third-party cloud security tools to gather cloud inventory data from the API.
Miles Ward, SADA CTO, confirmed that no public cloud is immune from vulnerabilities and commended Google's swift response in patching the vulnerability. In his word, he said: “We commend Google for how quickly and thoroughly they responded when we brought this bug to their attention. We’re proud of the work SADA’s engineers put into ensuring that our customers’ data remains safe”.