A new report out from threat detection and response company Vectra AI Inc. is warning of a vulnerability in Google Cloud service Document AI that allows malicious actors to exploit the service’s misconfigured permissions.
Document AI is a Google Cloud service that uses machine learning to extract structured data from unstructured documents to automate data processing tasks. The service offers both pretrained models and customizable tools that allow businesses to efficiently analyze and manage large volumes of documents.
The vulnerability in Document AI stems from to the way the service allows users to process documents stored in Cloud Storage by creating both online, or standard, jobs and offline or batch processing jobs. When performing batch processing, the service employs the Document AI Core Service Agent with the Role “documentaicore.serviceAgent” to handle data ingestion and output the results. But in doing so, the service agent possesses broad permissions to access any cloud storage bucket within the same project.
As explained in the report, the broad permission model poses a significant risk because the Document AI Core Service Agent’s permissions are not limited to the resources specifically needed for the task at hand. Instead, the permission allows access to any Cloud Storage bucket within the project, meaning that even if the initial caller has restricted access, the service agent can bypass these controls.
As a result, a malicious actor could exploit the loophole to read and transfer data from a cloud storage bucket that they would not normally have access to, leading to serious data exfiltration risks.
The vulnerability represents a case of transitive access abuse, where unauthorized access is gained indirectly through a trusted intermediary – in this case, the service agent. Even if customers aren’t using Document AI, they are still vulnerable if the service can be enabled by an attacker with sufficient permissions, such as the ability to create or modify processors. The report notes that this raises significant concerns for Google Cloud customers, as the vulnerability impacts data security at a fundamental level, necessitating immediate attention and stronger access control policies.
Normally, when details of a vulnerability are published by a cybersecurity company, it’s followed by the given company with the vulnerability resolving the issue, but surprisingly, that’s not the case here.
The issue was reported by Vectra AI to Google through the Google Vulnerability Reward Program on April 4, but despite several months of research efforts to identify the root cause of the issue and propose a solution, Google is claimed in the report to have “yet to determine whether they will internally classify this issue as ‘Working as Intended’ or a ‘Vulnerability,’ nor has any change to the service been made.”
Google was informed by Vectra AI that it intended to go public with the information about the vulnerability on July 2, with publication only occurring today.
The researchers warn that all Google Cloud customers are affected by the vulnerability if they do not prevent the enablement of the Document AI service and its usage via Organizational Policy Constraints. Further, a customer doesn’t need to be using Document AI to be affected.
Organizations using Google Cloud are advised to take immediate steps to disable the service if it’s not essential for their operations. Implementing strict identity and access management policies to limit permissions and using organizational constraints to block Document AI from being enabled can also significantly reduce exposure.