This article explains how misconfiguring Google Groups with open join settings can be exploited to gain unauthorized access to Google Cloud Platform (GCP) roles, enabling privilege escalation. It also discusses detection, remediation, and coordinated disclosure with Google.
#GoogleGroups #OpenGroups
#GoogleGroups #OpenGroups
Keypoints
- Google Groups can be used as IAM principals in Google Cloud, making them a potential privilege escalation vector.
- Groups with open join settings allow any member of the organization to join, creating opportunities for unauthorized access.
- Privilege escalation can occur when a member joins a group that already has roles granted in GCP.
- There are no explicit default guardrails preventing administrators from granting roles to groups with open join settings.
- The article provides strategies for hunting and detecting open groups and their associated risks in IAM.
- Coordinated disclosure with Google occurred, with the issue ultimately labeled as intended behavior, highlighting misconfiguration risks.
MITRE Techniques
- [T1078] Initial Access – Exploitation of open group join settings to gain unauthorized access to GCP roles. Quote: ‘Exploitation of open group join settings to gain unauthorized access to GCP roles.’
- [T1068] Privilege Escalation – Gaining elevated permissions by joining a Google Group with assigned roles in GCP. Quote: ‘Gaining elevated permissions by joining a Google Group with assigned roles in GCP.’
Indicators of Compromise
- [URL] context – batchexecute endpoints used to enumerate group settings. https://groups.google.com/u/2/_/GroupsFrontendUi/data/batchexecute?rpcids=rCA4W&source-path=/u/2/recent…, and https://groups.google.com/u/2/_/GroupsFrontendUi/data/batchexecute?rpcids=zx9ptd&source-path=/u/2/all-groups&…
- [Email] Open-join demo accounts – [email protected], [email protected]
- [Domain] Google Groups and related domains – groups.google.com, cloud.google.com
- [Domain] Google services and platforms – google.com, cloud.google.com