Security experts found a major bug in Google Cloud

Google Cloud
(Image credit: Google Cloud)

Security experts SADA claimed to have found a severe vulnerability in the Google Cloud Platform which has since been patched by the tech giant. 

Known as Asset Key Theft, the vulnerability would have potentially allowed threat actors to steal the private keys of Google Cloud Service Accounts. In a statement, SADA said it believed the flaw "would have given attackers a persistent and reliable method for abusing a Google Cloud environment."

SADA notified Google of the issue in its cloud hosting business via its Bug Hunters bounty program, where researchers can alert the tech giant to flaws they find in its products in a safe and secure manner.

API flaw

SADA believed that the issue was critical "due to the permission’s commonality with third-party cloud security tools, such as Cloud Security Posture Management (CSPM) tools, to gather cloud inventory data from the API."

The flaw was found in the Google Cloud Platform API known as the Cloud Asset Inventory API. It affected all Google Cloud users who had enabled this API and who had cloudasset.assets.searchAllResources permissions on the applicable Google Cloud environment were exposed to this vulnerability.

Once SADA reported this to Google, it reproduced the error itself to confirm its existence, before patching the vulnerability. SADA warns, however, that customers still may have been impacted by it, and the threat may have persisted after the patch.

“Supporting our customers as they transform their organizations in the cloud means constant vigilance when it comes to security,” says SADA CTO Miles Ward. “No public cloud is immune from vulnerabilities, and we all must act fast, collaborate openly, and communicate transparently when we spot a vulnerability."

"We commend Google Cloud for how quickly and thoroughly they responded when we brought this bug to their attention. We’re proud of the work SADA’s engineers put into ensuring that our customers’ data remains safe."

TOPICS
Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Read more
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
the YouTube logo on a screen in front of other YouTube logos covering a black background
Worrying YouTube security flaw exposed billions of user emails
A hand reaching out to touch a futuristic rendering of an AI processor.
Google Cloud unveils new AI Protection security tools, no matter which model you use
Location Data
Cloudflare CDN flaw could expose user location simply by sending an image
Facebook on laptop
Researcher nets major reward for finding Facebook bug able to unlock the gates to its internal systems
Shadowed hands on a digital background reaching for a login prompt.
Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Intel Lunar Lake concept
Intel's Panther Lake processors won't arrive until Q1 2026 - corroborates previous delay rumors despite former Intel CEO's promise of 2025 launch
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 18 (game #1149)