in Google Cloud, you can assign admin, billing, etc to a google group.<p>Years ago I made a google group for google cloud administration<p>A company in Spain, a bunch of startups, etc have added that google group (by accident) as an IAM user with varying level of roles attached<p>I now have billing access to one account, admin access to another, can just hop into the database of at least two of the accounts<p>I try to reach out to google support but because I don’t have “business” or “enterprise” level support I can’t even submit a ticket<p>I’m trying to let them know but can’t, they do t do chat, no phone number, even billing contact is an automated chatbot only<p>GCloud should have like “emergency reach out to a person” link or something
A few months ago I stumbled upon a bug in a state machine that allowed me to obtain stuff without having to pay for it. It was a weird combination of steps and was kind of hard to explain.<p>I submitted a ticket to the support team advising them in painstaking detail the steps needed to reproduce this vulnerability. They could also look at my account and see that I got stuff without paying.<p>A couple days later I got a reply from a support manager that my concern wasn’t valid and there was no bug.<p>The next week I happened to be at a conference where the company in question was a sponsor. So, I visited their booth and spoke with the VP of Eng. He asked me to forward the ticket to security@. Within 8 hours I got a reply from them saying that they had fixed the bug.<p>I guess I’m saying that even if Google let you submit a support ticket it might get ignored because they aren’t trained to deal with security reports.
Ex-Googler here. Try reporting it through the security disclosure program: <a href="https://www.google.com/appserve/security-bugs/m2/new" rel="nofollow">https://www.google.com/appserve/security-bugs/m2/new</a><p>You can also assume that by virtue of you having posted this here and being on the frontpage, it's probably made it to the internal Google SRE IRC chat by now and someone is trying to find a contact. This almost always works :)<p>Maybe edit your OP with a way to contact <i>you</i>, so that someone can reach out.
As a person who paid for Google's "Gold" support. They are less than useless.<p>Don't go into these accounts at all. Not even to try and help/contact them. Laws about this are very vague and no one within the ORG would want to admit that they made a mistake by adding you.
Even if you manage to reach out to Google, I doubt they will do anything like remove your group from those roles. From their POV you could be just trying to social engineer them into removing someone who has legitimate access.<p>I think you have better chances contacting people in the org who added your group to those roles.
Update #2 - they actually responded to my bug bounty request. Seems they think it may be worth fixing but not a big enough deal to pay out a bounty to me. Obviously I’d like the bounty but if I got any recognition that would be awesome<p>—-
Hi,<p>Thanks again for your report.<p>I've filed a bug with the responsible product team based on your report. The product team will evaluate your report and decide if a fix is required. We'll let you know if the issue was fixed.<p>Regarding our Vulnerability Reward Program: At first glance, it seems this issue is not severe enough to qualify for a reward. However, the VRP panel will take a closer look at the issue at their next meeting. We'll update you once we've come to a decision.<p>If you don't hear back from us in 2-3 weeks or have additional information, let us know!<p>Regards,
Google Security Team
As other commenters here have noted, a company can't just do this accidentally. If they add an <i>external</i> group, there's a warning message. Because many times it may be a mistake, but there are <i>also</i> many times a company will have a legitimate reason to do so.<p>This isn't a bug, it's a feature. If you want to do the right thing, the correct course of action isn't to notify Google, it's to send an e-mail to the companies so they can revoke access to the group. It's not Google's problem.<p>Or if you don't want to deal with that and the group isn't used for anything anymore and you still want to be a good citizen, just delete everybody else from the group.
This is a known 'issue': <a href="https://news.ycombinator.com/item?id=34193047" rel="nofollow">https://news.ycombinator.com/item?id=34193047</a>
At least twice I have left a review about a Business on Google Maps and ended up as an admin of their business profile.
I don't know what's going on with Google.
I'm the SRE oncall for Cloud IAM. Can you send me a message on linkedin (link in my profile)? I'll give you my Google corp account email address.
As an admin of their group can you see their group admin contact email address? If so maybe they have an enterprise account and can reach a human in Google. I am not a lawyer but there is probably risk in accessing any of their data, audit trails and all.
You are prompted to confirm an external group being added as admin. Someone purposefully ignored it.<p>Good luck. You're trying to do the right thing but if they lawyer you, remind them they added you not you added them.
I would have thought that being "added" to anything is a two-way confirmation:<p>1. One from the party wanting to add the group to their account. Based on a prior comment, sounds like you are prompted to confirm an external group being added as admin.<p>2. One from the party administering/owning an external google group being requested to be added. Is there any confirmation here?<p>Without the 2nd confirm, I start imagining security exposures in the family of Ransomware - let's call it "RansomAdd". You randomly add external google groups until you get someone to poke around "too much" and then threaten them with legal action unless they pay up. Ugh.
Isn't this a little like reaching out to Linus because someone changed their home directory permission to rwxrwxrwx? It sucks for them, but what could google do?
I was successful in the past reaching out through this:<p><a href="https://issuetracker.google.com/issues/new?component=187161&template=1162660" rel="nofollow">https://issuetracker.google.com/issues/new?component=187161&...</a><p>I was told "issuetracker" generates messages directly to support/engineering teams and they do look into it.<p>Submit a "defect" and they will answer.
Just ignore it move on. There's no winning there. In the worst case, the company may try to file charges against you for computer abuse/fraud. In the best case, an otherwise harmless association is removed from your account. It is impossible to get ahold of anyone at Google if you are not an enterprise customer. Just forget about it and do nothing.
As usual, the expected Google Clown Platform support.<p>FWIW, 3 months ago they shutdown my servers for some minor issue and I'm only able to get them to reactivate after a week.<p>Source: <a href="https://news.ycombinator.com/item?id=35133917" rel="nofollow">https://news.ycombinator.com/item?id=35133917</a>
Surely there should be a way for an owner of a group to revoke these permissions. I am not familiar with the tech though.<p>If it is not too much hassle I would create a new group, switch to it and delete the old one. This is just one of many reasons corps add prefixes to their naming conventions in the cloud.<p>I would not go down the path of contacting the companies. You have to see it from their point of view when it comes to security and legal processes. Just because you know that you have not done anything wrong does not mean anything for how they will proceed. They will start from the objectives. Somebody has access to our stuff.
UPDATE: I have just submitted a bug bounty request<p>That would really help my career and life if I get that!<p>I won’t do anything with the accounts I accidentally have access to
Just to better understand, was it a "generic enough" Google Group name that people used its name in the policy thinking they were granting access to their own "google cloud administrators"? Or were people/companies actively part of that Google Group you created?
I'm surprised anyone would ever use Google Cloud Platform after reading this. No support at all? AWS blows them out of the water because they value customer support, I guess.
Update #3
Got an honorable mention from Google Bug Hunters<p>They said they’re gonna see if it’s worth fixing and will get back to me. They didn’t award a bug bounty, but I’ll take the kudos.
Be very careful. Even though you're trying to do The Right Thing don't alert these companies to the fact you've been accessing their accounts without permission.
Not sure what support could do for you that you could not do yourself, ie: undertake to degrade the 'years ago group' and alert responders as needed.
GCloud security is horrible. It's like they designed the whole thing to be insecure by default. Coming from AWS, the amount of permissions they give by default in the most commonly-used roles is insane. They also seem to lack some functionality necessary to make fine-grained access permissions to access some of their advertised features. It's really crazy.
I think you can reach them on their forum as well, for example <a href="https://www.googlecloudcommunity.com/gc/Security/Welcome-to-the-Security-Space-of-the-Google-Cloud-Community/m-p/175460#M89" rel="nofollow">https://www.googlecloudcommunity.com/gc/Security/Welcome-to-...</a>.
I have hard times feeling any sympathy for these companies. When you trust an ad company like Google what did you expect? Maybe Google will shutdown this product and fix the secuity hole in the process.
Perhaps related to this bug which Google has known about for 12 years, and is potentially in breach of GDPR?
<a href="https://issuetracker.google.com/issues/35889152" rel="nofollow">https://issuetracker.google.com/issues/35889152</a>