Cybersecurity researchers at Dig Security discovered a critical vulnerability in the database service Google Cloud Platform (GCP), which allowed access to sensitive data and secrets, as well as privilege escalation and disruption of other cloud services, including those potentially owned by Google customers.

Experts have discovered a vulnerability through a security breach around the CloudSQL GCP service, which supports several different database engines – including MySQL, PostgreSQL and SQL Server – for use in the cloud.

The vulnerability allowed specialists to escalate privileges and add the user they created to the DbRootRole, which is an administrative role in GCP. The researchers then exploited another critical flaw in the roles and permissions architecture to further elevate their privileges, eventually giving the attacker the role of system administrator with full control of SQL Server. The examiners were then able to access the operating system hosting the database.

At this point, researchers could access sensitive files on the host OS, view files, read passwords, and extract sensitive data. In addition, the host had access to service agents, which could potentially lead to further escalation to other environments. This last aspect of the vulnerability could give an attacker access to resources in client environments that use GCP.

Researchers discovered the vulnerability in February and through the program Bug bounty reported the issue to Google. The companies worked together for two months, and Google fixed the issues in April by awarding Dig Security for finding the flaw.