Google Cloud seals bug that could have led to data breaches

freshidea – stock.adobe.com

The Asset Key Thief vulnerability gave rise to multiple potential attack scenarios that could have impacted thousands of Google Cloud users, but has now been safely fixed

Alex Scroxton

By

Published: 27 Apr 2023 11:30

Google Cloud has fixed a potentially dangerous application programming interface (API) vulnerability in its platform that, had it been exploited by malicious actors, could have led to widespread data breaches across multiple public clouds.

Dubbed Asset Key Thief and disclosed through researchers at SADA, a California-headquartered cloud security consultancy with UK offices in Dorset, the bug was uncovered on 7 February 2023 and reported through the Google Vulnerability Reward Program the same day. Following some back and forth, Google accepted the vulnerability on 23 February, and it was fixed and verified on 14 March.

“Supporting our customers as they transform their organisations in the cloud means constant vigilance when it comes to security,” said SADA chief technology officer Miles Ward.

“No public cloud is immune from vulnerabilities, and we all must act fast, collaborate openly and communicate transparently when we spot a vulnerability.

“We commend Google Cloud for how quickly and thoroughly they responded when we brought this bug to their attention,” he said. “We’re proud of the work SADA’s engineers put into ensuring that our customers’ data remains safe.”

The vulnerability itself existed in the Cloud Asset Inventory API and related to a persistent access mechanism known as Service Account private keys, and affected all Google Cloud customers that had enabled the API with principals granted specific permissions – cloudasset.assets.searchAllResources – on the applicable environment for a limited period.

In practice, this meant anybody with the needed permission could use a specific gcloud SDK command to exfiltrated private key material of a Service Account in the Google Cloud environment that was created or rotated in the prior 12 hours, and take over the identity of, and permissions associated with, said account.

Impact assessment

Had the vulnerability been exploited in the wild, its impact would have varied depending on the permissions held by the exploited accounts.

The SADA team posited three potential scenarios that may have unfolded:

  • In the first scenario, the theft of a private key from an organisation level Service Account used for infrastructure-as-code provisioning assigned the “overly permissive” Owner role would give a malicious actor access to virtually all resources and data in the victim environment;
  • In the second scenario, the theft of a private key from a default Service Account assigned the Editor role would give an attacker access to all resources in that individual’s project, or enable them to conduct further activity, such as spinning up illicit cryptominers, racking up substantial extra charges for the victim;
  • In the third scenario, the theft of a private key from a Service Account that had the ability to assume the identity of other Service Accounts in a centralised management structure – perhaps for tech support reasons – would have let an attacker chain access through various Service Accounts until hitting one that had access to sensitive customer data.

Although the vulnerability has been fixed, SADA is still recommending that Google Cloud users scan for potential occurrences of the exploit technique, looking for abnormal Service Account behaviour, and rotate their Service Account user-managed keys.

If your Google Cloud environment has data access logs enabled for ADMIN_READ activity on the Cloud Asset Inventory API, you will also be able to search for instances of exploitation. Additionally, the Google Cloud Security Command Center Premium service includes built-in detectors to spot abnormal behaviour that may have arisen through the vulnerability.

Read more on Cloud security

Read More
Thomas Ramage

Latest

North Carolina Football 2026 Top 30 Countdown: No. 18

This has been one of the most polarizing offseasons for the North Carolina Tar Heels' football program in recent memory. Following a disastrous 2025 season, in which the Tar Heels suffered multiple embarrassing losses under first-year head coach Bill Belichick, the program had to look itself in the mirror and acknowledge that major changes were

Nominate: Most Influential Women in UK Technology 2026

rawpixel.com - stock.adobe.com Tell us who you think should be included in Computer Weekly’s 2026 list of the 50 Most Influential Women in UK Technology By Clare McDonald, Business Editor Published: 09 Jul 2026 14:15 Nominations are now open for the 2026 Computer Weekly list of the Most Influential Women in UK Technology. For the

Samsung Advances AI-Powered, Personalized Learning at ISTELive 2026

Newly introduced education solutions personalize shared Interactive Displays and streamline teaching workflows. A joint session with Logitech explored how connected classroom technology supports student engagement and active learning. Interactive Display innovations highlighted expanded AI capabilities designed to support instruction, accessibility and real-time classroom interaction. At ISTELive 2026 in Orlando, Florida, Samsung Electronics showcased how connected

One interface isn’t enough for enterprise AI

Vercel Security Checkpoint | cle1::1783678487-cpssl4ONLEmTG1Gg8OetumjqBwyYo9Dn

Newsletter

Don't miss

North Carolina Football 2026 Top 30 Countdown: No. 18

This has been one of the most polarizing offseasons for the North Carolina Tar Heels' football program in recent memory. Following a disastrous 2025 season, in which the Tar Heels suffered multiple embarrassing losses under first-year head coach Bill Belichick, the program had to look itself in the mirror and acknowledge that major changes were

Nominate: Most Influential Women in UK Technology 2026

rawpixel.com - stock.adobe.com Tell us who you think should be included in Computer Weekly’s 2026 list of the 50 Most Influential Women in UK Technology By Clare McDonald, Business Editor Published: 09 Jul 2026 14:15 Nominations are now open for the 2026 Computer Weekly list of the Most Influential Women in UK Technology. For the

Samsung Advances AI-Powered, Personalized Learning at ISTELive 2026

Newly introduced education solutions personalize shared Interactive Displays and streamline teaching workflows. A joint session with Logitech explored how connected classroom technology supports student engagement and active learning. Interactive Display innovations highlighted expanded AI capabilities designed to support instruction, accessibility and real-time classroom interaction. At ISTELive 2026 in Orlando, Florida, Samsung Electronics showcased how connected

One interface isn’t enough for enterprise AI

Vercel Security Checkpoint | cle1::1783678487-cpssl4ONLEmTG1Gg8OetumjqBwyYo9Dn

Psychedelic drug screen in mice may overlook stress and brain changes

🛡️ Just a quick check We’re checking your connection to prevent automated abuse

Breitbart Business Digest: Stacking Those $250 Trump Bills

Weekly Wrap: Making It Rain with Trump Bills Welcome back to Friday! This is the Breitbart Business Digest weekly wrap, our septidialogic sweep through the economic and financial news. This week the economy failed to get indigestion from the high price of gas, Treasury Secretary Scott Bessent told us about getting fed at the Fed, Trump

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity