Asset Key Thief is a recently patched Google Cloud privilege escalation vulnerability that enabled Google Cloud principals with the Cloud Asset Viewer role (or other roles with the `cloudasset.assets.searchAllResources` permission) on the Cloud Asset Inventory API at the Project, Folder, or Organization level to view and exfiltrate any user-managed Google Cloud Service Account private key under a project within the Google Cloud environment that had been created or rotated up to a maximum of 12 hours ago.
Access to Service Account private keys enable the full assumption of that Service Account’s identity and privileges, which would have given attackers a persistent and reliable method for abusing a Google Cloud environment.
It is SADA’s opinion that this vulnerability was severe due to the permission’s commonality with third-party cloud security tools, such as Cloud Security Posture Management tools, to gather cloud inventory data from the API. Learn how SADA Security experts and Google identified and remediated this cloud vulnerability.