New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations in the way different web servers or intermediaries, such as load balancers and proxies handle HTTP request sequences.

By creating malicious HTTP requests that exploit these inconsistencies, an attacker can control the order in which requests are processed, possibly resulting in unauthorized access, circumvention of security controls, session hijacking, or injection of malicious content into responses meant for other users.

This flaw is based on differences in the interpretation of start and end points for HTTP requests, which helps the server process them incorrectly.

Cybersecurity researchers at BugCrowd recently in a collaborative effort by Paolo Arnolfo (@sw33tLie), a hacking enthusiast passionate about server-side vulnerabilities, Guillermo Gregorio (@bsysop), a dad superhero and skilled hacker, and █████ (@_medusa_1_), a stealthy genius unveiled key insights about HTTP Request Smuggling.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

New TE.0 HTTP Request Smuggling

While cloud hosting offers security benefits, unknown HTTP Request Smuggling vectors can still pose significant threats. 

A recent discovery affected thousands of Google Cloud-hosted websites using their Load Balancer, compromising various services, including Identity-Aware Proxy. 

Researchers employ differential testing tools like http-garden for local servers and “spray-and-pray” techniques on bug bounty programs for cloud infrastructures to uncover such vulnerabilities. 

Tools like bbscope can generate extensive target lists for vulnerability research, highlighting that HTTP Request Smuggling remains a widespread and under-researched security issue.

TE.0, a new HTTP request smuggling variant, was discovered to be affecting Google Cloud’s Load Balancer.

The technique, which is similar to the CL.0 variant but uses Transfer-Encoding, enabled mass 0-click account takeovers on susceptible systems.

It affected thousands of targets, including those protected by Google’s Identity-Aware Proxy (IAP), and it was widespread among Google Cloud-hosted websites that were set to default HTTP/1.1 rather than HTTP/2.

This discovery shows how HTTP Request Smuggling techniques keep evolving and why constant security research is crucial in cloud infrastructures.

TE.0 HTTP Request Smuggling vulnerability affected Google’s Load Balancer and compromised Google Identity-Aware Proxy (IAP), a key feature of Google Cloud’s Zero Trust security.

This flaw made it possible to bypass the strict authentication and authorization measures of IAP consequently violating its principle “never trust, always verify.”

The flaw allowed site-wide redirects as well as malicious use of application-specific widgets which could have led to severe security breaches.

All TE.0 attacks were able to evade IAP protection though not all had serious consequences.

Google admitted this after initial reporting challenges, demonstrating that fixing loopholes in cloud infrastructure is a complex problem.

Here below we have mentioned the disclosure timeline:-

Google Cloud’s infrastructure was discovered to have a significant vulnerability due to persistent attempts to hack through the web application by using HTTP request smuggling techniques.

Research motivated by curiosity which resulted in a big check and a lesson that cyber security highlighted the value of creative thinking.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.