New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations in the way different web servers or intermediaries, such as load balancers and proxies handle HTTP request sequences.

By creating malicious HTTP requests that exploit these inconsistencies, an attacker can control the order in which requests are processed, possibly resulting in unauthorized access, circumvention of security controls, session hijacking, or injection of malicious content into responses meant for other users.

This flaw is based on differences in the interpretation of start and end points for HTTP requests, which helps the server process them incorrectly.

Cybersecurity researchers at BugCrowd recently in a collaborative effort by Paolo Arnolfo (@sw33tLie), a hacking enthusiast passionate about server-side vulnerabilities, Guillermo Gregorio (@bsysop), a dad superhero and skilled hacker, and █████ (@_medusa_1_), a stealthy genius unveiled key insights about HTTP Request Smuggling.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

New TE.0 HTTP Request Smuggling

While cloud hosting offers security benefits, unknown HTTP Request Smuggling vectors can still pose significant threats. 

A recent discovery affected thousands of Google Cloud-hosted websites using their Load Balancer, compromising various services, including Identity-Aware Proxy. 

Researchers employ differential testing tools like http-garden for local servers and “spray-and-pray” techniques on bug bounty programs for cloud infrastructures to uncover such vulnerabilities. 

Tools like bbscope can generate extensive target lists for vulnerability research, highlighting that HTTP Request Smuggling remains a widespread and under-researched security issue.

TE.0, a new HTTP request smuggling variant, was discovered to be affecting Google Cloud’s Load Balancer.

The technique, which is similar to the CL.0 variant but uses Transfer-Encoding, enabled mass 0-click account takeovers on susceptible systems.

Attack flow (Source – BugCrowd)

It affected thousands of targets, including those protected by Google’s Identity-Aware Proxy (IAP), and it was widespread among Google Cloud-hosted websites that were set to default HTTP/1.1 rather than HTTP/2.

This discovery shows how HTTP Request Smuggling techniques keep evolving and why constant security research is crucial in cloud infrastructures.

TE.0 HTTP Request Smuggling vulnerability affected Google’s Load Balancer and compromised Google Identity-Aware Proxy (IAP), a key feature of Google Cloud’s Zero Trust security.

This flaw made it possible to bypass the strict authentication and authorization measures of IAP consequently violating its principle “never trust, always verify.”

The flaw allowed site-wide redirects as well as malicious use of application-specific widgets which could have led to severe security breaches.

All TE.0 attacks were able to evade IAP protection though not all had serious consequences.

Google admitted this after initial reporting challenges, demonstrating that fixing loopholes in cloud infrastructure is a complex problem.

Here below we have mentioned the disclosure timeline:-

Disclosure timeline (Source – BugCrowd)

Google Cloud’s infrastructure was discovered to have a significant vulnerability due to persistent attempts to hack through the web application by using HTTP request smuggling techniques.

Research motivated by curiosity which resulted in a big check and a lesson that cyber security highlighted the value of creative thinking.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

8 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

8 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

10 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

11 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

11 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

11 hours ago