Two security researchers uncovered TE.0, a novel HTTP Request Smuggling variant that affects thousands of Google Cloud–hosted websites behind Google Load Balancer. They demonstrate how the flaw can leak session tokens and enable mass account takeovers, then report it to Google, earning an $8,500 bounty. #TE0 #HTTPRequestSmuggling #GoogleCloud #IdentityAwareProxy #IAP #ZeroTrust #Bugcrowd #JamesKettle
Keypoints
- The TE.0 HTTP Request Smuggling variant was discovered, impacting thousands of Google Cloud–hosted sites using the Load Balancer.
- Exploitation could leak user session tokens and enable mass account takeovers (0-click).
- Google IAP and Zero Trust security can be bypassed when the Load Balancer is affected.
- Researchers used their own bbscope tool to identify vulnerable targets across bug bounty programs.
- Disclosure progressed from Bugcrowd to Google, culminating in an $8,500 bounty.
- The TE.0 PoC involves a crafted HTTP/1.1 request sequence (OPTIONS with Transfer-Encoding: chunked) to achieve redirects and token leakage.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – TE.0 smuggling vulnerability exposed via Google Cloud Load Balancer; “After numerous attempts, we identified a TE.0 smuggling on the main API of one of the world’s largest banks.”
- [T1071.001] Web Protocols – Site-wide redirect to an attacker-controlled domain used to exfiltrate data; “The TE.0 PoC we presented earlier achieves a site-wide redirect to an attacker-controlled domain.”
- [T1078] Valid Accounts – Mass 0-click account takeover enabled by leaked session tokens; “This means we were able to perform a mass 0-click account takeover.”
Indicators of Compromise
- [Domain] – cloud.google.com, google.com, pantheonsite.io, bugcrowd.com
- [URL] – https://cloud.google.com/iap/docs/concepts-overview#app-engine, https://www.google.com/search?q=Google+Cloud, https://live-bug-crowd.pantheonsite.io/wp-content/uploads/2024/07/B1-300×171.png
- [File name] – bugcrowd-scope.txt