[Google VRP] Privilege escalation on https://dialogflow.cloud.google.com

3 years ago 191
BOOK THIS SPACE FOR AD
ARTICLE AD

lalka

Hi.

This is a short story (because I’m lazy, yes) about my last bug for Google VRP.

While testing the privilege escalation problems on https://dialogflow.cloud.google.com/ I noticed that downgrading the access level for the invited user does not work as expected.

Steps to reproduce:

1. Go to https://dialogflow.cloud.google.com/#/editAgent/{project}/ settings -> Share -> invite another user with “Developer” role.
2. Downgrade “Developer” role to “Reviewer” and apply changes.
3. Observe that although the changes have been applied and the role is “Reviewer” now, but the user can still perform all actions as “Developer”.

But why?

I went to https://console.cloud.google.com/iam-admin/ and saw that roles and assignments of invited users for https://dialogflow.cloud.google.com/#/editAgent/{project}/ not changing properly. When access level are changed, the permissions do not change (“Developer” -> “ Reviewer “), but adding to each other (“ Developer “+” Reviewer “).

Timeline :

Apr 6, 2021 reportedApr 7, 2021 triagedApr 16, 2021 Nice catch!Apr 22, 2021 Awarded $3133.70Jun 13, 2021 Fix
Read Entire Article