A Google Cloud Build vulnerability could have enabled supply chain attacks

Google issued a patch, but the vulnerability remains.

Experts from Orca Security’s Research Pod have identified a "critical" weakness in Google’s Cloud Build that could have let hackers tamper with firms’ app images and code repositories. The vulnerability could have allowed attackers to mount supply chain assaults similar to the SolarWinds hack or the 2021 breach of MOVEit, according to Orca. Google issued a patch, but the vulnerability remains. A researcher at Orca Nisimi said that while the fix limited the vulnerability, it turned it into a design flaw that still leaves users open to a larger supply chain danger. The issue arose as a result of poorly defined permissions using Cloud Build, an automation service that authenticates build requests through user accounts.

Google responded by deploying a fix, but Orca said it was not enough and left organizations open to greater supply chain risk. The weakness brings to mind the breaches at SolarWinds and the IT firm MOVEit earlier this year. In those attacks, hackers tampered with software supply chain processes to install malware that gave them access to corporate networks. As Google's fix does not completely solve the issue, organizations need to pay attention to the behavior of default Google Cloud Build service accounts until further security measures are put in place, according to Orca's Nisimi.