Skip to main content

Security researcher blabs that Google App Engine is vulnerable to attack

security researcher blabs that google app engine is vulnerable to attack bvyifsp
Image Credit: Pixabay
According to a report released on Seclist.org’s Full Disclosure, a new set of vulnerabilities could leave Google’s App Engine open to attack from a rudimentary Java exploit.

Seven different unpatched holes were discovered by Adam Gowdiak, CEO of the Polish security firm Security Explorations. The exploit uses the cloud platform Google App Engine to launch a defunct string of Java code, which can then be executed to break out of the first-layer sandbox and wreak havoc on protected areas of Google’s servers.

This is a huge problem for the Internet search giant, who could have been losing sensitive customer data, or even files from the company’s internal operations for months on end without even realizing it. Fortunately, there’s no evidence the attack has been used by malicious hackers as of yet.

As is the case with most vulnerabilities, Gowdiak waited for a response from Google for several weeks before going public. Publishing his findings to news outlets is a way to kick the company into gear, and force it to address the issue whether it likes it or not.

“It’s been 3 weeks and we haven’t heard any official confirmation / denial from Google with respect to Issues 37-41,” said Gowdiak in his post on Full Disclosure. “It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code.”

Ars Technica reached out to Google for a response on the issue, and received the canned response you’d expect from any entity its size. “A researcher recently reported a known issue affecting a preliminary layer of security in Google App Engine. We’re working with him to mitigate it; users don’t need to take any action.”

Editors' Recommendations

Chris Stobing
Former Digital Trends Contributor
Self-proclaimed geek and nerd extraordinaire, Chris Stobing is a writer and blogger from the heart of Silicon Valley. Raised…
Google just thwarted the largest HTTPS DDoS attack in history
A depiction of a hacker breaking into a system via the use of code.

Google has confirmed that one of its cloud customers was targeted with the largest HTTPS distributed denial-of-service (DDoS) attack ever reported.

As reported by Bleeping Computer, a Cloud Armor client was on the receiving end of an attack that totaled 46 million requests per second (RPS) at its peak.

Read more
Google Docs update brings a productivity powerhouse feature
Google Docs in Firefox on a MacBook.

Google's latest Workspace update allows you to assign Google Task checklist items to yourself or to a colleague in Google Docs, Google announced on Wednesday via its Workspace blog.

This is an an easier way of assigning Tasks as it allows you to see all edits and updates within Google Docs. Similarly, users can refer back to Tasks to see the changes made in that application.

Read more
Here’s how Google Search plans to tackle clickbait
A laptop rests on a bench outside with google search open on-screen.

Because Google knows that we all hate clickbait, the company will soon be taking steps to tackle this problem in Google search results. Starting globally next week for searches using English, Google will aim to reduce the ranking for offending websites while simultaneously rewarding those that create original, high-quality content.

Clickbait is often seen in advertisements that make bold or even outrageous claims in the hopes that you'll be intrigued enough to click the ad so you can learn more. Search results can also be misleading and inspire a click based on an interesting title and snippet.

Read more