There was a recently patched Google Cloud vulnerability called Asset Key Thief that allowed Google Cloud principals with the Cloud Asset Viewer role to exfiltrate any user-managed Google Cloud Service Account private key for up to 24 hours after its creation.
This vulnerability could result in giving attackers a persistent and reliable method for abusing a Google Cloud environment. The vulnerability affected keys created using User-managed keys with private keys generated by Google and keys that were generated after July 5, 2021, and not deleted by March 14, 2023, or not rotated after March 14, 2023.
Google Cloud has fixed the vulnerability, but organizations are recommended to rotate their Service Account user-managed keys as an extra precaution.
Share with your friends and followers
Start blogging about your favorite technologies, reach more readers and earn rewards!
Join other developers and claim your FAUN account now!
Only registered users can post comments. Please, login or signup.