Access Token for internal GCP project “cxl-services” can be leaked using a URL whitelist bypass on https://cxl-services.appspot.com/proxy. This token could be used to elevate privileges in other internal projects, access some internal Compute instances and possibly take full control over cxl-services.appspot.com. This App Engine app proxies demo API requests on Google Cloud product pages (e.g. Cloud Text-to-Speech Demo).
Summary (give a brief description of the issue)
Access Token for internal GCP project “cxl-services” can be leaked using a URL whitelist bypass on https://cxl-services.appspot.com/proxy. This token could be used to elevate privileges in other internal projects, access some internal Compute instances and possibly take full control over cxl-services.appspot.com. This App Engine app proxies demo API requests on Google Cloud product pages (e.g. Cloud Text-to-Speech Demo).
References (provide links to blogposts, etc.)
https://feed.bugs.xdavidhu.me/bugs/0008 https://bugs.xdavidhu.me/google/2020/03/08/the-unexpected-google-wide-domain-check-bypass/