Google App Engine Java sandbox is leaking, say researchers
Happy hackers out ad giant after it stops replying to email about flaws
Security Explorations hacker Adam Gowdiak says three partial Java sandbox security holes still exist in Google App Engine.
Gowdiak says the problems stem from buggy implementations and lax security checks that mean evildoers could gain access to the Google cloud's Java environment.
He dropped exploitation code after the ad giant ceased communication with him last month.
"It's been three weeks and we haven't heard any official confirmation or denial from Google," Gowdiak says in an advisory.
"It should not take more than one to two days for a major software vendor to run the received proof of concept, read our report, and consult source code."
Google has been contacted for comment.
Gowdiak says Google appears to have quietly patched some parts of the security vulnerabilities without liaising with researchers, claiming it is the third time the company has done so.
The proof of concept code is released so that the vulnerabilities are not "held hostage" to Google's bug program requirements.
Gowdiak says the vulnerability release won't raise eyebrows at Google since the security layers underneath the Java are robust.
Security Expectations has reported more than 30 vulnerabilities and is aware that the full disclosure could mean it loses some US$20,000 in outstanding bug bounty payments.
"The irony is that of all the bugs reported to Google so far were specific to the extra security layer implemented on top of the Java runtime environment that aimed to protect Google App Engine against security vulnerabilities in Java.
More technical details of the bugs are available in a research document [PDF]. ®