In a secure development environment, we immerse ourselves in the intricate framework of a widely-used mobile application, tentatively referred to as XX. This application primarily serves as an educational platform for those aspiring to become programmers. It offers the unique feature of allowing users to write, compile, and execute code in various programming languages directly within its interface.

The Underlying Infrastructure: A Closer Look

The Mobile App “XX” operates by compiling and running user-submitted code on the server side, specifically within the limited environment of a Google Cloud Function. While this approach reduces the computational burden on the client side and provides a semblance of security, it raises concerns related to data isolation and access control.

The Vulnerability Paradox

Despite its widespread usage, we identify a potential vulnerability in the application's design. The code, though encapsulated within Google Cloud Functions, does not inherently prevent users from interacting with other users’ submitted code. A potential risk is thus evident: could one user access another's source code, effectively breaching data privacy?

Enumeration: The Diagnostic Tool

To probe this possibility, we employ the technique of enumeration. We initiate a shell command designed to identify files modified within the last five minutes on the server.

find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null

The output returns a list of transient files that are unaccessible—seemingly compiled, executed, and deleted in quick succession.

Bypassing Ephemeral Existence: Capturing Transient Data

Intrigued by the ephemeral nature of these files, we craft a Python script designed to continuously monitor the server’s file directory and capture the content of new files during their brief existence.

Since we could run python:

from os import walk

dr = {}

while True:
  for (dirpath, dirnames, filenames) in walk("/basedirectory"):
    for f in filenames:
      if f not in dr:
        dr[f] = True
        print(dirpath, f)
        try:
          print(open(dirpath + "/" + f,"r").read())
        except:
          pass

In compliance with a confidentiality agreement, we are unable to disclose specific output data. However, the company involved has graciously permitted us to publish the methodology behind the attack, while withholding any information that could compromise their reputation. In recognition of this collaboration, they have been granted a significant discount on our penetration testing services.

Findings and Implications

The script successfully captures the contents of other users' source code, substantiating our initial hypothesis. While we harbor no malicious intent, our discovery highlights a significant security vulnerability within this app and also in similar platforms.

So…

So to conclude, the Google Functions can provide an isolated environment and thus are secure. However, the developers falsely assumed that each user that makes a request to the same function may have a different runtime environment. This is a false assumption because they used the same function and thus they share the same runtime environment for their users. The Google Functions each time may pick a different container to run the code, but cannot guarantee there will no overlaps and container reuse. So this will lead to shared runtime environments (same instance).

Each function deployment in Google Cloud Functions is isolated from other function deployments. They don't share runtime environments, memory, or variables with each other. This means that Function A is isolated from Function B - they won't interfere with each other's execution or state.

So how do we remediate?

To remediate this vulnerability you should create a new function for each user. If this is not practical you should go with Google Kubernetes Engine (GKE) as an alternative. However, this is the way to go for all those platforms that are using Google Functions as a shared runtime environment for their users. If you want to give code execution to your users, use a separate function, as simple as that.

Widespread Access Control Flaws: An Industry-Wide Issue

Further investigation reveals that this lack of robust access control is not limited to the investigated app alone; other coding applications demonstrate similar vulnerabilities. Consequently, the issue extends beyond a single application, indicating a systemic gap in ensuring user data privacy and security in cloud-based code execution environments.

Our findings serve as a cautionary tale, inviting a closer scrutiny of access control mechanisms and urging immediate remedial measures to fortify the vulnerable boundaries.

Book a penetration test now!

If you're concerned about the vulnerabilities in your own applications, now is the time to act.

We offer specialized penetration testing services designed to unearth and address security flaws before they can be exploited.

Contact us today to ensure your application's integrity and protect your user data.

Penetration Testing Services