Seven different unpatched holes were discovered by Adam Gowdiak, CEO of the Polish security firm Security Explorations. The exploit uses the cloud platform Google App Engine to launch a defunct string of Java code, which can then be executed to break out of the first-layer sandbox and wreak havoc on protected areas of Google’s servers.
This is a huge problem for the Internet search giant, who could have been losing sensitive customer data, or even files from the company’s internal operations for months on end without even realizing it. Fortunately, there’s no evidence the attack has been used by malicious hackers as of yet.
As is the case with most vulnerabilities, Gowdiak waited for a response from Google for several weeks before going public. Publishing his findings to news outlets is a way to kick the company into gear, and force it to address the issue whether it likes it or not.
“It’s been 3 weeks and we haven’t heard any official confirmation / denial from Google with respect to Issues 37-41,” said Gowdiak in his post on Full Disclosure. “It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code.”
Ars Technica reached out to Google for a response on the issue, and received the canned response you’d expect from any entity its size. “A researcher recently reported a known issue affecting a preliminary layer of security in Google App Engine. We’re working with him to mitigate it; users don’t need to take any action.”
Editors' Recommendations
- Who controls the tech inside us? Budding biohackers are shaping ‘cyborg law’
- Earn up to $10,000 by squashing printer-based bugs in HP’s bounty program
- Google awards teenager $36,000 as part of its bug bounty program
- You’ll want to perk up when it comes to the new ‘Lazy State’ Intel CPU bug
- Millions of health records may be at stake in ransomware attack
