Google is facing questions regarding its handling of a reported critical security vulnerability in its Google Cloud Platform (GCP) that could potentially allow unauthorised access to corporate cloud environments. Cybersecurity researcher Justin O'Leary claims to have discovered a significant flaw, which he named 'ConfigConfusion', that could bypass GCP's Identity and Access Management (IAM) protections, granting full control over an organisation's cloud resources.
The vulnerability reportedly stems from an issue within Config Connector, an open-source Kubernetes add-on designed to manage Google Cloud resources via Kubernetes. According to O'Leary, Config Connector fails to perform a crucial authorisation check, enabling any service account with organisation-level permissions to circumvent IAM and achieve the highest level of control – 'roles/owner' – over an entire GCP Organisation, which is the foundational node for all a company's assets within Google Cloud.
O'Leary reported his findings to Google on 8th March. Initially, a Google security engineer accepted the report on 27th March, acknowledging it as a 'Nice catch!' and confirming that a bug had been filed with the relevant product team. The company assigned the issue a P1 priority and S1 severity, indicating a high-priority, high-severity flaw that impacts a significant number of users and could disrupt core organisational functions. O'Leary was also prompted to review his payment options for a potential bug bounty.
However, the situation took an unexpected turn on 7th April when O'Leary received a message from a Google Security Bot. The message stated that the Cloud Vulnerability Reward Program panel had determined the 'security impact of this issue does not meet the criteria to qualify for a reward', concluding that the software was 'working as intended'. Despite this reversal, O'Leary noted that the bug report itself remains marked as P1/S1, 'in progress (accepted)', and nearly three months later, no fix has been issued, nor has a Common Vulnerabilities and Exposures (CVE) identifier been assigned.
This incident is not an isolated one for O'Leary, who reported a similar experience with Microsoft earlier this year. He claims that Microsoft rejected a reported privilege escalation vulnerability in Azure Backup for AKS, only to then silently patch the flaw without public acknowledgement or a security advisory. These recurring situations raise concerns among security researchers about the transparency and consistency of bug bounty programmes run by major technology corporations.