Document AI data exfiltration
Published Mon, Sep 16th, 2024
Platforms
Summary
The Document AI service unintentionally allows users to read any Cloud Storage object in the same project, in a way that isn't properly documented. The Document AI service agent is auto-assigned with excessive permissions, allowing it to access all objects from Cloud Storage buckets in the same project. Malicious actors can exploit this to exfiltrate data from Cloud Storage by indirectly leveraging the service agent's permissions. This vulnerability is an instance of transitive access abuse, a class of security flaw where unauthorized access is gained indirectly through a trusted intermediary.
Affected Services
Document AI, Cloud Storage
Remediation
Full remediation is not possible, but mitigating controls can be applied: use the Org Policy Constraint serviceuser.services to prevent the enablement of the Document AI service when it's not needed and restrict the API usage with the Org Policy Constraint serviceuser.restrictServiceUsage.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/KatTraxler
Entry Status
Finalized
Disclosure Date
Thu, Apr 4th, 2024
Exploitability Period
Ongoing, since the creation of the Document AI Service and its batch processing capabilities.
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Kat Traxler, Vectra AI
