Overly permissive settings in Google Cloud's Document AI service can be abused by data thieves to break into Cloud Storage buckets and steal sensitive information.
How to use Document AI
This, according to threat detection and response company Vectra AI and its chief security researcher Kat Traxler, who say that despite eventually receiving a bug bounty from Google for the find, the cloud giant has yet to fix the misconfiguration, meaning this attack vector is still wide open.
The whole vulnerability reporting process was a bit of a mess. Traxler reported the bug in early April, but Google initially determined that the documentation was "insufficient" to pay a bounty for the find. Then they reversed course and awarded the bug hunter $3133.70 for her reporting – marking the status as "fixed", while Traxler claims it's still a problem.
Google did not immediately respond to The Register's inquiries.