Vulnerabilities in the Google App Engine cloud platform make it possible for attackers to break out of a first-level security sandbox and execute malicious code in restricted areas of Google servers, a security researcher said Friday.
Adam Gowdiak, CEO of Poland-based Security Explorations, said there are seven separate vulnerabilities in the Google service, most of which he privately reported to Google three weeks ago. So far, he said, the flaws have gone unfixed, and he has yet to receive confirmation from Google officials. To exploit the flaws, attackers could use the freely available cloud platform to run a malicious Java application. That malicious Java app would then break out of the first sandboxing layer and execute code in the highly restricted native environment.
Malicious hackers could use the restricted environment as a beachhead to attack lower-level assets and to retrieve sensitive information from Google servers and from the Java runtime environment. Technical details about the bugs, noted as issues 35 through 41, are available here, here, here, and here. In an e-mail to Ars, Gowdiak wrote: