The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package and More

This conference talk explores how cloud security complexity can lead to critical vulnerabilities, showcasing a remote code execution vulnerability called 'CloudImposer' that affected millions of Google Cloud Platform servers. Follow the thrilling discovery process that revealed how a single faulty command argument by GCP enabled potential attacks on both customer workloads and Google's internal production servers. Learn about unique cloud security insights, including how supply chain vulnerabilities in cloud environments can have exponentially greater impact and how cloud providers build services like Jenga towers, with core services forming the foundation for customer-facing offerings. Dive deep into the vulnerable GCP Cloud Functions deployment flow and discover a newly available tool for finding hidden APIs called by cloud providers. Gain valuable knowledge about the dangers of treating cloud services as black boxes and acquire practical tools for examining cloud infrastructure security.