



























Google seems to have learned nothing from what is currently happening to users of Microsoft Windows. A security researcher discovered a way for at any Kubernetes namespace user to bypass the Google Cloud Platform’s Identity and Access Management (IAM) controls. Once someone does so they can gain control over an organization’s cloud environment and any data they’ve stored in GSuite apps. Unfortunately Google has decided that this major flaw, dubbed ConfigConfusion, doesn’t exist.
There was an about face, with Google first telling Justin O’Leary that this was a ‘Good catch!” and then denying the security hole exists at all and refusing to pay any bounty. This seems to contradict Google’s own bug tracker which still lists ConfigConfusion as P1/S1 with the status “in progress (accepted).” It is a bad idea to annoy those who are trying to help you secure your environment, as Microsoft and its users have been reminded over the past few month. It seems to much to hope that Microsoft has learned it’s lesson; instead their apathy towards bug hunters is spreading to other major providers.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。