Security firm publishes details, exploit code for Google App Engine flaws

Polish firm Security Explorations has published technical details and PoC code for several security issues identified in Google App Engine (GAE) for Java.

The company has found over 30 vulnerabilities during their Google App Engine for Java security research project, and has notified Google of them late last year.

The company has first suspended the test account they were using, then enabled it again, thusly “blessing” further research but also noting that Security Explorations should restrict their testing to the Java VM and not try to break into the sandboxing layer. Security Explorations then found additional flaws.

Since then, Google has fixed most issues, but not all, and the researchers have been having trouble getting updates from the Internet giant.

“It’s been 3 weeks and we haven’t heard any official confirmation/denial from Google with respect to Issues 37-41. It should not take more than 1-2 business days for a major software vendor to run the received POC, read our report and/or consult the source code,” Security Explorations CEO Adam Gowdiak noted in a post on the Full Disclosure mailing list.

“This especially concerns the vendor that claims its “Security Team has hundreds of security engineers from all over the world” and that expects other vendors to react promptly to the reports of its own security people.”

He also complained about them not being notified of pushed out fixes for some issues – so-called “silent fixes” – and said that they they not expect to get additional VRP rewards from Google due to the publication of these details.