Monday, May 12, 2025
HomeCyber Security NewsCritical Google Cloud's SQL Service Flaw Exposes Sensitive Data

Critical Google Cloud’s SQL Service Flaw Exposes Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

Google recently fixed a critical Cloud SQL database service flaw that could have been exploited to access sensitive data and breach other cloud services.

On May 25th, Dig Security researchers uncovered this security gap in the CloudSQL service of GCP, enabling unauthorized access to various database engines like:- 

  • MySQL
  • PostgreSQL
  • SQL Server

Google Cloud’s SQL Service Flaw

Dig Security’s Ofrir Balassiano and Ofrir Shaty disclosed that:- 

- Advertisement - Google News

“Exploiting the vulnerability granted them the ability to elevate privileges and assign a user to the highly privileged DbRootRole role in GCP.”

Leveraging a critical misconfiguration in the roles-permissions architecture, they escalated their privileges.

They obtained a system administrator role, granting them complete control over the SQL Server and enabling access to the underlying operating system.

Google Cloud's SQL Service Flaw
Db Role

The researchers affirmed that they gained the ability to retrieve sensitive files, view privileged paths, extract passwords, and access secrets from the host operating system.

They also highlighted the potential for further escalation to other environments through the underlying service agents.

Google Cloud's SQL Service Flaw
Escalation

While apart from this, Dig Security discovered the flaw in Google’s Cloud SQL database service in February and notified Google. 

After they had been notified, Google promptly fixed the issue in April and rewarded Dig Security researchers a bug bounty reward under their bug bounty program.

In addition, security analysts also discovered another crucial flaw within the permission structure, allowing them to elevate privileges and grant their users the coveted ‘sysadmin’ role.

Google Cloud's SQL Service Flaw
Escalation of a user rule

Unauthorized access to internal data such as secrets, URLs, and passwords poses a significant security risk, as demonstrated by their ability to obtain sensitive information from Google’s docker image repository before the issue was resolved and non-internal IP access was restricted.

Research Timelines

Here below, we have mentioned the complete research timelines:-

  • February 5th, 2023: GCP CloudSQL vulnerability discovered by Dig’s research team.
  • February 13th, 2023: Google’s vulnerability reward program identified activity and contacted Dig’s research team.
  • During April 2023: The vulnerability was successfully addressed and resolved. 
  • April 25, 2023: Experts were rewarded by the GCP VRP program.

Deploying a Data Security and Privacy Management (DSPM) solution can safeguard organizations from vulnerabilities by identifying and protecting their most sensitive data through encryption, containing potential breaches, and minimizing exposure.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...