.jpg)
Security Explorations, a Poland-based security firm, on May 15 disclosed technical details and Proof of Concept (PoC) codes for unconfirmed and unpatched vulnerabilities presence in Google App Engine for Java.
In October 2012, the company started its research on Google App Engine for Java however it could not continue it. Then, in October 2014, it resumed the project.
The company confirmed more than 30 vulnerabilities in December.
According to a report published on SecurityWeek, it had identified and reported a total of 41 issues to the authority concerned, but the Google said it internally fixed those flaws.
“That does not speak well about Google GAE engineers and their Java security skills in particular,” Adam Gowdiak, founder and CEO of Security Explorations, told SecurityWeek.
Till the date, Google has confirmed a total of 36 vulnerabilities. However, the Security Explorations confirmed that a few of them were still left unpatched.
Although, in Mid-March Security Exploration revealed 31 flaws which were later fixed by Google, Gowdiak, wrote in a mail that there are seven different vulnerabilities still exist in the Google service which he briefly discussed in his mail.
He said that the flaws have been reported to Google three weeks ago. However, he has not received confirmation from the Google officials. Nor, the authority concerned has not fixed any of them.
"It has been three weeks and we haven't heard any official confirmation or denial from Google with respect to Issues 37-41," Gowdiak wrote. "It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and / or consult the source code.”
He added that it is easy to exploit the flaws by attackers. They could use the freely available cloud platform to run a malicious Java application. The app would then break out of the first sandboxing layer and execute code in the highly restricted native environment.
The hackers could use the restricted environment to attack lower-level assets and to retrieve sensitive information from Google servers.
Google had decided to award Security Explorations with $70,000 for disclosing the vulnerabilities. The total amount of $50,000 was already paid to the company on March 20.
Gowdiak said that now, Google might not give them remaining $20,000 as they have disclosed the unpatched and unconfirmed vulnerabilities. However, the company believes that rewards cannot influence the way a vulnerability handling/disclosure of a security research is made.
“We need to treat all vendors equal. In the past, unconfirmed, denied or silently fixed issues were the subject to an immediate release by us,” he said.
.jpg)
.jpg&url=https://www.cysecurity.news/2015/05/security-explorations-reveals-several.html&description=Security Explorations reveals several vulnerabilities in Google App Engine ){kind=link}