Do You Want Nightmare Eclipse 2.0? This Is How You Get Nightmare Eclipse 2.0!
Google seems to have learned nothing from what is currently happening to users of Microsoft Windows. A security researcher discovered a way for at any Kubernetes namespace user to bypass the Google Cloud Platform’s Identity and Access Management (IAM) controls. Once someone does so they can gain control over an organization’s cloud environment and any data they’ve stored in GSuite apps. Unfortunately Google has decided that this major flaw, dubbed ConfigConfusion, doesn’t exist.
There was an about face, with Google first telling Justin O’Leary that this was a ‘Good catch!” and then denying the security hole exists at all and refusing to pay any bounty. This seems to contradict Google’s own bug tracker which still lists ConfigConfusion as P1/S1 with the status “in progress (accepted).” It is a bad idea to annoy those who are trying to help you secure your environment, as Microsoft and its users have been reminded over the past few month. It seems to much to hope that Microsoft has learned it’s lesson; instead their apathy towards bug hunters is spreading to other major providers.
