30+ bugs found in Google App Engine
Adam Gowdiak, CEO of Polish firm Security Explorations, has announced that his team of researchers have discovered over 30 serious security issues in the Java security sandbox of the Google App Engine (GAE), Google’s popular PaaS cloud computing platform for developing and hosting web applications.
By exploiting the vulnerabilities they have apparently succeeded in bypassing GAE whitelisting of JRE classes and have managed to escape the Java VM security sandbox and execute native code, have managed to access some of the files comprising the JRE sandbox, and have extracted information and definitions from a number of them.
No more details have been revealed as their research has been cut short by Google, who suspended their GAE “test” account a few days ago.
Gowdiak admits they were right to do so.
“This week we did poke a little bit more aggressively around the underlying OS sandbox / issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc,” he explained, but expressed his hope that Google will allow them to continue their research by reinstating the account as, he noted, Google seems to appreciate “arbitrary security research / all sorts of sandbox escapes.”
The researchers would like to verify the vulnerabilities spotted and try out some attack ideas, and said they would report their findings to Google and, likely once the issues are fixed, share them with the security community.