It was possible to list IAM service accounts of any Google Cloud Platform project, given its project number, by forging a pageToken for the projects.serviceAccounts.list method of the IAM API.
Due to the design of certain services in Google Cloud, this issue could lead to the leak of lots of Google Cloud Platform project IDs, which are considered PII, and which could be further used to scan for unsecured resources in the platform, such as App Engine apps, Container Registry repositories, etc.
Summary (give a brief description of the issue)
It was possible to list IAM service accounts of any Google Cloud Platform project, given its project number, by forging a pageToken for the projects.serviceAccounts.list method of the IAM API. Due to the design of certain services in Google Cloud, this issue could lead to the leak of lots of Google Cloud Platform project IDs, which are considered PII, and which could be further used to scan for unsecured resources in the platform, such as App Engine apps, Container Registry repositories, etc.
References (provide links to blogposts, etc.)
https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.html