medium

Impersonate GCP Organization Through the Organizations Update Method

Published Sun, Jan 20th, 2019
Platforms

Summary

A GCP Organizations name could be changed through the (deprecated) organizations.update method in the Resource Manager, even though the documentation said the "displayName" was read-only. With this, I could have my own organization and name it as another one and confuse users: - Rename an organization "<IMPORTANT-COMPANY>.com" - Share it with "domain:<IMPORTANT-COMPANY>.com" (Effectively sharing it with every Google user with a @<IMPORTANT-COMPANY>.com account) - Profit from unsuspecting users creating resources in my organization, specially billing accounts or building projects that manage sensible information.

Affected Services

GCP Organizations

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Thu, Nov 29th, 2018
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Ezequiel Pereira