New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations in the way different web servers or intermediaries, such as load balancers and proxies handle HTTP request sequences.

By creating malicious HTTP requests that exploit these inconsistencies, an attacker can control the order in which requests are processed, possibly resulting in unauthorized access, circumvention of security controls, session hijacking, or injection of malicious content into responses meant for other users.

This flaw is based on differences in the interpretation of start and end points for HTTP requests, which helps the server process them incorrectly.

Cybersecurity researchers at BugCrowd recently in a collaborative effort by Paolo Arnolfo (@sw33tLie), a hacking enthusiast passionate about server-side vulnerabilities, Guillermo Gregorio (@bsysop), a dad superhero and skilled hacker, and █████ (@_medusa_1_), a stealthy genius unveiled key insights about HTTP Request Smuggling.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

New TE.0 HTTP Request Smuggling

While cloud hosting offers security benefits, unknown HTTP Request Smuggling vectors can still pose significant threats. 

A recent discovery affected thousands of Google Cloud-hosted websites using their Load Balancer, compromising various services, including Identity-Aware Proxy. 

Researchers employ differential testing tools like http-garden for local servers and “spray-and-pray” techniques on bug bounty programs for cloud infrastructures to uncover such vulnerabilities. 

Tools like bbscope can generate extensive target lists for vulnerability research, highlighting that HTTP Request Smuggling remains a widespread and under-researched security issue.

TE.0, a new HTTP request smuggling variant, was discovered to be affecting Google Cloud’s Load Balancer.

The technique, which is similar to the CL.0 variant but uses Transfer-Encoding, enabled mass 0-click account takeovers on susceptible systems.

Attack flow (Source – BugCrowd)

It affected thousands of targets, including those protected by Google’s Identity-Aware Proxy (IAP), and it was widespread among Google Cloud-hosted websites that were set to default HTTP/1.1 rather than HTTP/2.

This discovery shows how HTTP Request Smuggling techniques keep evolving and why constant security research is crucial in cloud infrastructures.

TE.0 HTTP Request Smuggling vulnerability affected Google’s Load Balancer and compromised Google Identity-Aware Proxy (IAP), a key feature of Google Cloud’s Zero Trust security.

This flaw made it possible to bypass the strict authentication and authorization measures of IAP consequently violating its principle “never trust, always verify.”

The flaw allowed site-wide redirects as well as malicious use of application-specific widgets which could have led to severe security breaches.

All TE.0 attacks were able to evade IAP protection though not all had serious consequences.

Google admitted this after initial reporting challenges, demonstrating that fixing loopholes in cloud infrastructure is a complex problem.

Here below we have mentioned the disclosure timeline:-

Disclosure timeline (Source – BugCrowd)

Google Cloud’s infrastructure was discovered to have a significant vulnerability due to persistent attempts to hack through the web application by using HTTP request smuggling techniques.

Research motivated by curiosity which resulted in a big check and a lesson that cyber security highlighted the value of creative thinking.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

GitLab Security Update, Patch for Critical Vulnerabilities

GitLab announced the release of critical security patches for its Community Edition (CE) and Enterprise…

2 hours ago

BadRAM Attack Breaches AMD Secure VMs with $10 Device

Researchers have uncovered a vulnerability that allows attackers to compromise AMD's Secure Encrypted Virtualization (SEV)…

3 hours ago

Splunk RCE Vulnerability Let Attackers Execute Remote Code

Splunk, the data analysis and monitoring platform, is grappling with a Remote Code Execution (RCE)…

4 hours ago

Europol Shutsdown 27 DDoS Service Provider Platforms

In a major international operation codenamed “PowerOFF,” Europol, collaborating with law enforcement agencies across 15…

5 hours ago

Resecurity introduces Government Security Operations Center (GSOC) at NATO Edge 2024

Resecurity, a global leader in cybersecurity solutions, unveiled its advanced Government Security Operations Center (GSOC)…

19 hours ago

Reserachers Uncovered Zloader DNS Tunneling Tactics For Stealthy C2 Communication

Zloader, a sophisticated Trojan, has recently evolved with features that enhance its stealth and destructive…

19 hours ago