Open korniko98 opened 7 months ago
Researcher found a way to disclose any user email address via CORS misconfiguration in IAP by opening a malicious domain, and implemented two different attack scenarios to read the email address of an authenticated or unauthenticated user.
https://medium.com/@LogicalHunter/identity-aware-proxy-misconfiguration-google-cloud-vulnerability-813d2a07a4ed
Summary (give a brief description of the issue)
Researcher found a way to disclose any user email address via CORS misconfiguration in IAP by opening a malicious domain, and implemented two different attack scenarios to read the email address of an authenticated or unauthenticated user.
References (provide links to blogposts, etc.)
https://medium.com/@LogicalHunter/identity-aware-proxy-misconfiguration-google-cloud-vulnerability-813d2a07a4ed