Seven different unpatched holes were discovered by Adam Gowdiak, CEO of the Polish security firm Security Explorations. The exploit uses the cloud platform Google App Engine to launch a defunct string of Java code, which can then be executed to break out of the first-layer sandbox and wreak havoc on protected areas of Google’s servers.
This is a huge problem for the Internet search giant, who could have been losing sensitive customer data, or even files from the company’s internal operations for months on end without even realizing it. Fortunately, there’s no evidence the attack has been used by malicious hackers as of yet.
As is the case with most vulnerabilities, Gowdiak waited for a response from Google for several weeks before going public. Publishing his findings to news outlets is a way to kick the company into gear, and force it to address the issue whether it likes it or not.
“It’s been 3 weeks and we haven’t heard any official confirmation / denial from Google with respect to Issues 37-41,” said Gowdiak in his post on Full Disclosure. “It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code.”
Ars Technica reached out to Google for a response on the issue, and received the canned response you’d expect from any entity its size. “A researcher recently reported a known issue affecting a preliminary layer of security in Google App Engine. We’re working with him to mitigate it; users don’t need to take any action.”
