Report #35035

Report ID

#35035

Report type

Websites and Applications

Has PoC?

Yes

Target

https://github.com/BeanstalkFarms/Beanstalk-Analytics

(Out of scope)

Impacts

• API Key Leakage

Description

Hi Team,

Google Cloud Service Account JSON file leakage refers to the unintended exposure or disclosure of sensitive JSON files associated with Google Cloud Service Accounts. These JSON files contain credentials that grant access to Google Cloud services, including private resources and administrative controls. When these files are leaked, unauthorized individuals can potentially exploit them to gain access to cloud resources, escalating the risk of data breaches and service misuse.

Vulnerability Details

Google Cloud Service Accounts use JSON key files to authenticate and authorize access to Google Cloud resources. These files include sensitive information such as the service account ID, private key, and other credentials necessary for accessing cloud services. Leakage of these files can occur through various means, including:

• Misconfigured Permissions: Inappropriate file permissions or exposure of files in public repositories.
• Improper Storage: Storing JSON key files in insecure locations such as public directories or version control systems.
• Inadequate Security Practices: Sharing or transferring JSON files via insecure channels or failing to use proper key management practices.

###Common Causes:

• Public Repository Exposure: Accidentally committing JSON key files to public code repositories (e.g., GitHub).

Impact Details

The impact of Google Cloud Service Account JSON file leakage can be severe and multifaceted:

• Unauthorized Access: Attackers can use the exposed credentials to gain unauthorized access to Google Cloud services and resources, including databases, storage buckets, and APIs.
• Data Breach: Unauthorized access can lead to data theft, data manipulation, or deletion of sensitive information stored in the cloud.
• Service Disruption: Malicious actors may modify or delete critical cloud infrastructure components, causing service interruptions or outages.
• Financial Loss: Exploitation of leaked credentials can result in financial losses due to misuse of resources, including unexpected charges for cloud services.

Proof of concept

The json file can be found [here](https://github.com/BeanstalkFarms/Beanstalk-Analytics/blob/7022cb0fc0b497f2247f277857c7d0c390ac7a62/serverless/tbiq-beanstalk-analytics-bca7893d8291.json#L6) and to test if it's working:

• Download the json file
• install gcloud
• see commands below:
• below command is to make sure that the file is present.

• below command is activating the account credentials.

$ gcloud auth activate-service-account --key-file=tbiq-beanstalk-analytics-bca7893d8291.json
Activated service account credentials for: [bean-analytics-data-writer@tbiq-beanstalk-analytics.iam.gserviceaccount.com]

• Lastly, fetching valid access token.

Even though the file is no longer present in the public repository, it remains accessible through the GitHub commit history, where it can be discovered and exploited by attackers. Additionally, since I can still generate an access token, it indicates that the file, despite being deleted, is still functional.