Security News > 2023 > July > Google Cloud shores up log permissions for builder bot
Infosec in brief A security weakness in Google Cloud Build could have allowed attackers to tamper with organizations' code repositories and application images, according to Orca Security researchers.
The issue, as Google describes it, is more about poorly defined permissions.
Cloud Build, as an automation service, uses service accounts to authenticate requests made during a build.
As Orca researchers discovered, if someone enables the Cloud Build API in a project, the product automatically creates a default service account to execute builds.
"We appreciate the work of the researchers and have incorporated a fix based on their report as outlined in a security bulletin issued in early June," Google told us.
"It's important that organizations pay close attention to the behavior of the default Google Cloud Build service account," Nisimi said, adding that applying the principle of least privilege is vital to reducing an organization's risk.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/07/24/infosec_in_brief/
Related news
- Google Cloud Expands Confidential Computing Portfolio (source)
- Google Cloud to make MFA mandatory by the end of 2025 (source)
- Google Cloud to Enforce Multi-Factor Authentication by 2025 for All Users (source)
- All Google Cloud users will have to enable MFA by 2025 (source)
- Google Cloud Cybersecurity Forecast 2025: AI, geopolitics, and cybercrime take centre stage (source)