Hacker News new | past | comments | ask | show | jobs | submit login
I have gained admin access to numerous GCloud Organizations by accident
275 points by anon223345 10 months ago | hide | past | favorite | 121 comments
in Google Cloud, you can assign admin, billing, etc to a google group.

Years ago I made a google group for google cloud administration

A company in Spain, a bunch of startups, etc have added that google group (by accident) as an IAM user with varying level of roles attached

I now have billing access to one account, admin access to another, can just hop into the database of at least two of the accounts

I try to reach out to google support but because I don’t have “business” or “enterprise” level support I can’t even submit a ticket

I’m trying to let them know but can’t, they do t do chat, no phone number, even billing contact is an automated chatbot only

GCloud should have like “emergency reach out to a person” link or something

A few months ago I stumbled upon a bug in a state machine that allowed me to obtain stuff without having to pay for it. It was a weird combination of steps and was kind of hard to explain.

I submitted a ticket to the support team advising them in painstaking detail the steps needed to reproduce this vulnerability. They could also look at my account and see that I got stuff without paying.

A couple days later I got a reply from a support manager that my concern wasn’t valid and there was no bug.

The next week I happened to be at a conference where the company in question was a sponsor. So, I visited their booth and spoke with the VP of Eng. He asked me to forward the ticket to security@. Within 8 hours I got a reply from them saying that they had fixed the bug.

I guess I’m saying that even if Google let you submit a support ticket it might get ignored because they aren’t trained to deal with security reports.

There are quite a few post on Raymond Chen's "The Old New Thing" blog about bogus security reports e.g. this one [1] from 2022 or this one [2] from 2006. They're often described as requiring you to already be "on the other side of this airtight hatchway" (a Hitchhiker's Guide to the Galaxy reference) because you already need admin rights in order to get admin rights.

That seems to suggest that Microsoft takes all security reports seriously even if most turn out to be bogus.

[1] https://devblogs.microsoft.com/oldnewthing/20221004-00/?p=10...

[2] https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...

If MS really investigates all bug reports that is good. But, it seems like this should be expected?

From misc. articles I've seen (mainly posted here on HN; I don't buy MS products) MS dismisses bug reports as unimportant and sometimes takes an extremely long time to address known security vulnerabilities.

This VM escape was initially reported as an RDP bug that MS dismissed as unimportant, until it was used as a VM escape against their hypervisor.


The (in)famous pass-the-hash bug in windows is an example of MS not addressing serious security issues in a timely manner. Windows treats a password hash as equivalent to the password, so you don't even need to crack hashed passwords you've collected from e.g., the registry to authenticate to windows services (MS "protected" against this attack purely client-side). Microsoft acknowledged the issue was real more than a decade before even attempting to fix it.

Apparently it was a difficult bug that included design failures, but over 10 years and multiple versions of windows for an exploit this severe?

A couple days ago a Google Cloud container escape made HN front page. Comments on that article indicated Microsoft Azure had recently suffered the same, but while Google only allowed access to other containers owned by the same tenant, Microsoft's escape allowed access to all tenants on the same host. Google added a second layer of safety in case the first failed (a dedicated VM per host per customer to run each costumer's containers). Microsoft YOLO'd. I don't care enough to research these claims beyond noting that at the time I read them, no one had disputed them.

I don't know if Microsoft is overall still worse than its competitors WRT to security (I suspect it is true). But, Microsoft is certainly not an exemplar for how security should be done.

More on-topic with main thread, nonexistent support is kinda what Google is known for?

At least Google now uses abuse@gmail.com for reporting abuse from their infrastructure instead of forcing the reporting party to go through a god-awful web form (when I handled mail at past orgs, I didn't even bother reporting gmail abuse due to the hoops they made you jump through back then; I also used the RFC-Ignorant RBL to punish them and other sites that did not use the RFC mandated email addresses for reporting abuse with a higher bias toward triggering a SPAM tag on their mail).

Perhaps time for an RFC that mandates security contacts?

> The (in)famous pass-the-hash bug in windows

I can't find any articles for this whatsoever on Google. No matter how many times I include "windows" or "microsoft" (quoted or otherwise) I only get clickbait SEO-spam articles talking about pass-the-hash vulnerabilities in general, not any description or reference to a specific incident in Windows.

Could you please link some article about this so I can read about it?

Try: https://www.coresecurity[.]com/sites/default/files/private-f... for a discussion that mentions Paul Ashton's PtH toolkit from ~1997 or so.

please don't defang that link. It makes it nearly impossible to access in my browser. Right clicking to copy doesn't work (no "Copy" option in context menu). Selecting to copy doesn't work, because HN cuts off the link. I had to open developer tools just to grab the value of the `href` attribute and then edit out the brackets.

But thank you for the PDF, it seems like an interesting read!

(non-defanged link for any future visitors: https://www.coresecurity.com/sites/default/files/private-fil...)

People are just optimizing for the job they have assigned to in large organisation as compared to smaller orgs where ownership is with everyone. In this particular case, support manager optimized for their own KPI which could be number f tickets resolved or closed. Whereas, VP Eng. who is probably the owner of the problem statement care more about the issue.

To your point, there should be some easy way to get a security incident report to the security team through an easily discoverable form or similar. This is as easy as "security incident" option in a support ticket drop down, and triage is required whether this is an ingest point or security@ email.

You and I know this, but if you're not a security practitioner, you might not know. It might as well then be behind a door for a room with a sign that says "Beware of the Leopard."

I understand some scrappy startups like Google don't have the resources to have someone review security incident reports that come through a web form, but maybe they should if they want to be a legit cloud provider?

Googling "report google cloud security issue" does not turn up productive results. Compare to what you get when you google "report aws security issue."

The 3rd result for "report google cloud vulnerability" is productive

Isn't that what the bug bounty program is?


Also, it doesn't shock me that somebody got a common group name early on in an internet-scale service's lifecycle. I've had a couple such experiences. Simple example: in the early days of Google Hangouts, you could choose your own meeting name in the URL. I chose "compass" for a meeting and accidentally landed in a meeting of Google engineers who were very surprised by my appearance. Fortunately my meeting was a meeting I had arranged so I beat feet and changed my URL to the default auto-generated URL before the rest of my participants arrived.

Fun times when it becomes common knowledge that to get attention if support isn’t working is to claim a security incident - and everyone starts doing it, hah.

That's pretty easy to deal with: respond with only "not a security issue" if it's not.

Or, actually have support, but that's not Google's style.

I can tell you “your obtain stuff without paying by doing a weird combination of steps” is happens quite a bunch of times and is not a bug but some sort of easer egg. For a while there was a chain in Europe where if you scanned products in a specific order at the till it would be kick in difference price :)

Ex-Googler here. Try reporting it through the security disclosure program: https://www.google.com/appserve/security-bugs/m2/new

You can also assume that by virtue of you having posted this here and being on the frontpage, it's probably made it to the internal Google SRE IRC chat by now and someone is trying to find a contact. This almost always works :)

Maybe edit your OP with a way to contact you, so that someone can reach out.

> You can also assume that by virtue of you having posted this here and being on the frontpage, it's probably made it to the internal Google SRE IRC chat by now and someone is trying to find a contact.

In that case no point in following up at all right? Just post on HN and hope someone in the right spot sees it?

> This almost always works :)

That’s the type of SLA one can rely on!

> Maybe edit your OP with a way to contact you, so that someone can reach out.

Having to break online anonymity so that a company can impose the Hollywood rule, “don’t call us, we’ll call you!”, is a truly lousy support structure.

> Just post on HN and hope someone in the right spot sees it?

That's how a lot of Google tech support happens. If you get banned by mistake, you have far better luck making noise here or on Twitter vs actually going through support.

We had an app mistakenly banned that we only got human eyes on by calling in favors from old friends who work at Google. It's asinine.

It seems they actually responded to the bug bounty request, I put the response up above

Apples anonymous emails may work for this purpose.

Or Firefox Relay.

Google already know about this one, fat lot of good it's done for the last 12 years: https://issuetracker.google.com/issues/35889152

Person abandons old account attached to a group/project, account then hacked, et voila!

It's also probably in breach of GDPR regs that say you should be able to update your own information if it's incorrect.

I filed a bug bounty! If this is working as expected then so be it…

I didn’t even know this hit front page till you said something

I’m just gonna leave the other orgs alone and not doing anything in there until I can figure out a strategy to delete this google group (which I am actually using to manage my own accounts) my accounts are just hobby accounts more than anything, it’s crazy I logged in and found these full-blown business accounts lol

Just insane to me that I don’t have to confirm on my end that I should be the admin, or billing role lol, they can just one way add you…

I think they meant to add their service account and instead added my google group, the URLs are kind of similar

> by virtue of you having posted this here

But it's not even the first time this issue was posted here. I'm not sure that approach works with Google.


It's a dice roll, if someone in a timezone where people are working while this post is trending sees it, finds it interesting, and can be bothered to post about it somewhere internally - it can help!

Of course, it would be better if there was an actually supported channel for sending this kind of information, but that's really not the fault of the people that end up finding this stuff and posting it internally (who are often not even related to the problem, posting more of a "hey, anyone know anyone who can help this guy?" message).

FWIW, the security disclosure form I posted will end up reaching a human, which is why I suggested doing that anyways.

I’ll try that I suppose, it sounds like I’m going to have to delete that google group which is going to be a pain because I actually use it…

I did file a bug bounty hopefully that goes somewhere

This isn't a Google security incident though, they could fix it, but it's not obvious they should/would care to me?

It's the third-party's security team (if there is one, otherwise engineering, contractor hirer, whoever) that should care isn't it?

Yes, but the way that would work is that somehow this should bubble through the security org to someone in Cloud Sales, who can then look in Salesforce who the relevant internal sales contacts (i.e. the people from Google that the affected company is in touch with) are and reach out to them.

I recently helped someone with google cloud web applications. They got a weird bug where the deployment with new code would just give old deployment logs. Turned out the account was somehow shadowbanned for a day or so to deploy anymore. The next day the logs pointed to a code checkin from previous day.

Eventually i got super fristrated and made a fresh azure trial account for them and boom everything works.

I cannot understand how gcp is so bad at ux and support. Most of the engineers i know at google are the absolute smartest people i know, how in the heck can it be the product experience at gcp is so lousy.

Internal SRE IRC? Too good for the laggy Slack/Teams/etc. CVEware??

I'd be jealous, but then I realized it prob has good uptime whereas using Slack is like a free day off every month with its SLA.

Yes, SRE doesn't wanna deal with all that crapware. Though as I was leaving, a lot of people were moving over to an IRC bridge to the (absolutely horrible, in my opinion) Google Chat.

Long time ago, many jobs ago, the whole company was on Skype. We (the ops team) just set up an IRC server on one of the boxes.

(The box was also useful for a lot of other things, like an Openarena server. We tend to play StarCraft 2 these days though.)

Thank you will try that…

As a person who paid for Google's "Gold" support. They are less than useless.

Don't go into these accounts at all. Not even to try and help/contact them. Laws about this are very vague and no one within the ORG would want to admit that they made a mistake by adding you.

I’ve had access to both Google’s and Amazon’s paid support options (up to and including enterprise support).

Amazon’s support has gone above and beyond for me over the years in ways I didn’t even expect or ask them to.

In comparison, I agree with you that Google’s support is useless.

My experiences with AWS support have actually left me with a positive impression of the platform, while my experiences with Google reinforced that they don’t know how to do support. At all.

Want to guess where our 8-digit cloud spend goes?

Out of curiosity, I tried to search for the specific function of Support Engineer both for AWS and Google on several job boards. It is a mostly un-scientific approach of course, but the results are as expected. It doesn't even look like google hires Support Engineers. LOL

They outsource it. I'm on the U.S. East Coast. My last GCP support ticket ended up in Romania.

And nothing against Romanians! I work with a ton of brilliant folks there.

Outsourcing inevitably creates a firewall between engineering and support that shouldn't exist though.

In a properly functioning org, support has a way to escalate quickly to engineering if it's confirmed "This is broken." Engineering in turn uses those incoming requests to recognize flaws in their own products.

Outsourcing creates "Hide behind the SLAs and remain ignorant of any issues you've created" barriers that will ultimately sink a company.

At Basho engineers would often spend time working support to get a better view into customer pain points. Outsourcing support sounds like a giant middle finger to customers.

I'm biased, because I came up through support before I went into engineering.

But to me, the question has always been "Do I think I'm omniscient as an engineer? Do I think I can imagine every way the customer is going to try and use this product? Every way it can interact with other systems? Every quirk of a specific customer environment/dataset/etc.?"

Well, if not, then good news! The support org should be capturing, categorizing, documenting, and forwarding all those cases to me.

And each case is an opportunity to make the product better!

Google is a global company. How do you know they aren't google employees in Romania?

They might be a Google employee, and I have no issues with Romanians, but if they cared about the support experience they should have placed me with a rep that has much better timezone overlap.

From their subprocessors list it looks like it was most likely "WEBHELP ROMANIA SRL"

I mean, you can't be 100% sure in any one case but they do have a lot of third-party companies listed for support: https://cloud.google.com/terms/subprocessors

Will choose AWS just for support anyday over alternatives. I'm not even a paying customer and I had a slight issue regarding multiple emails registered under the same account and such. I was just starting with AWS. The support was really helpful and provided me with information I didn't even know I needed.

Agree. AWS charge a minimum of 3% of your bill towards support. Which is fine, it makes support scaleable and even a profit centre.

What's weird is that GCP charge the same but apparently don't deliver

Even if you manage to reach out to Google, I doubt they will do anything like remove your group from those roles. From their POV you could be just trying to social engineer them into removing someone who has legitimate access.

I think you have better chances contacting people in the org who added your group to those roles.

Google shouldn't automatically remove you but

1. They should contact the firms involved, make them aware of the situation and then the firms will take a decision on whether to remove or not.

2. They should then look over GCP design and see if there's something that they can do to prevent a reoccurrence of this type of error/mistake

I have a similar-but-different problem: a commonly used Gmail address that apparently someone(s) not me was using out in the wild for serious business.

Among other things, I received:

  Interview requests for jobs to which I never applied
  A background screening for a FL sheriff's job
  Legal communications for buying a home
  Business relationship emails
  Account and subscriptions for a variety of services
Relevant point being -- every single one of these counterparties had no idea what to do with me responding "I am not the person who you've been talking with about this. They appear to be using my email. Please ask them to update their email."

It made me realize how shitty most people are at dealing with anything other than business-as-usual.

Agreed. I know Google is famously hard to get in touch with, but I don't understand how this fall on Google's plate or is really Google's fault at all. Maybe if they shared some more info about what IAM group they created that managed to trick people into adding it Google could create rules to ban group names like that from being created?

It's Google's fault because there's no "remove me from having access to this" button.

if one is conscientious enough to report themselves be removed, they could also simply ignore the access

There's liability in having access to some random crap, even if you don't intentionally use it.

If something goes wrong, someone accesses or modifies something that they shouldn't have, you having access is going to be at _best_ confusing to everyone. At worst the cops or lawyers will come calling. Sure you'll _probably_ be able to talk them down, but does that sound like fun?

Or what if someone breaks in to _your_ account and accesses that way? Untangling that mess will not be a good time.

And let's say those firms are creating some shady stuff like Silk Road. You'd have a hard time explaining to the Feds that you appear as an administrator because of a mistake.

Update #2 - they actually responded to my bug bounty request. Seems they think it may be worth fixing but not a big enough deal to pay out a bounty to me. Obviously I’d like the bounty but if I got any recognition that would be awesome

—- Hi,

Thanks again for your report.

I've filed a bug with the responsible product team based on your report. The product team will evaluate your report and decide if a fix is required. We'll let you know if the issue was fixed.

Regarding our Vulnerability Reward Program: At first glance, it seems this issue is not severe enough to qualify for a reward. However, the VRP panel will take a closer look at the issue at their next meeting. We'll update you once we've come to a decision.

If you don't hear back from us in 2-3 weeks or have additional information, let us know!

Regards, Google Security Team

You have my respect!

As other commenters here have noted, a company can't just do this accidentally. If they add an external group, there's a warning message. Because many times it may be a mistake, but there are also many times a company will have a legitimate reason to do so.

This isn't a bug, it's a feature. If you want to do the right thing, the correct course of action isn't to notify Google, it's to send an e-mail to the companies so they can revoke access to the group. It's not Google's problem.

Or if you don't want to deal with that and the group isn't used for anything anymore and you still want to be a good citizen, just delete everybody else from the group.

I’m just going to delete the group

Bad idea. You're a good person, the next person to create the group name (which you've helpfully published here) may not be.

Ha! This is exactly what I’m seeing…

I’m looking through these comments to see how I can reach out to google cloud from these links

I do not even want this access…!!!

At least twice I have left a review about a Business on Google Maps and ended up as an admin of their business profile. I don't know what's going on with Google.

Did you reply to your review at least, to complete the circle? /s

That’s awesome lol

I'm the SRE oncall for Cloud IAM. Can you send me a message on linkedin (link in my profile)? I'll give you my Google corp account email address.

FYI there's no such thing as direct messages on HN.

You need to put a means of contact in your profile, or edit your comment to add it. It can be a disposable e-mail (like https://temp-mail.org/en/) if you want to enable a short-term communication like in this case.

(Side note, I've seen this crop up so much that it kind of seems like it would be good to have a DM functionality in HN, even if messages were auto-deleted after 7 days or something, or if it just forwarded to a non-public e-mail address.)

Thanks, I added my linkedin to my profile because I already treat that as spam :)

Hey! I sent you a friend request in LinkedIn, it didn’t let me message you directly without having LinkedIn premium

Can send you the whole 9 yards over there

As an admin of their group can you see their group admin contact email address? If so maybe they have an enterprise account and can reach a human in Google. I am not a lawyer but there is probably risk in accessing any of their data, audit trails and all.

Ya I’m not doing anything, I saw these random orgs on my console and just clicked and it took me to those pages

Didn’t poke around, was more like what the heck is this?

I only noticed because I logged in and the page defaulted to Spanish (it picked the first org, which happens to be a Spanish car company)

Then I noticed in the drop downs. I actually thought I was hacked, then realized what was going on.

Still trying to find a way to get ahold of Google lol

I have no idea if this [1] is still valid but it has a number that might work. Perhaps tell them you may have experienced a security incident related to a Google UI/UX bug. Another approach could be reaching out to their Project Zero team. [2] or try some of the contacts here [3] and tell them you may have a security incident that has enabled access to other organizations.

[1] - https://www.businessinsider.com/guides/tech/how-to-contact-g...

[2] - https://googleprojectzero.blogspot.com/

[3] - https://about.google/contact-google/

You are prompted to confirm an external group being added as admin. Someone purposefully ignored it.

Good luck. You're trying to do the right thing but if they lawyer you, remind them they added you not you added them.

I would have thought that being "added" to anything is a two-way confirmation:

1. One from the party wanting to add the group to their account. Based on a prior comment, sounds like you are prompted to confirm an external group being added as admin.

2. One from the party administering/owning an external google group being requested to be added. Is there any confirmation here?

Without the 2nd confirm, I start imagining security exposures in the family of Ransomware - let's call it "RansomAdd". You randomly add external google groups until you get someone to poke around "too much" and then threaten them with legal action unless they pay up. Ugh.

Hah, probably wouldn’t work well though. The types of folks who have money AND would be fooled by something like that would almost never have the time or curiosity to go poking around.

Isn't this a little like reaching out to Linus because someone changed their home directory permission to rwxrwxrwx? It sucks for them, but what could google do?

They could make the default such that you couldn't grant anyone outside your organization any particular role, unless principals associated with that domain are explicitly whitelisted (by domain).

(And, in the other direction, there should be a request/response flow when you're added to some random project/org you have no interest in, which can make you vulnerable both to legal attacks by the org mistakenly adding you and to phishing.)

Many folks have contract admins, it would add a lot of friction for the normal case just to try to prevent something that should be transparently dumb anyway.

If it were happening a bunch, there might be a good case to be made for changing permission-granting UI. Maybe not kernel-level, but OS-level, at least.

In fact, lots of distros now warn when a user attempts certain sudo actions, for similar reasons—mistakes were being made, and adding a little or the right kind of friction could prevent them.

Maybe if Linus maintained a paid product that included that home directory.

Contact the customer.

I was successful in the past reaching out through this:


I was told "issuetracker" generates messages directly to support/engineering teams and they do look into it.

Submit a "defect" and they will answer.

Just ignore it move on. There's no winning there. In the worst case, the company may try to file charges against you for computer abuse/fraud. In the best case, an otherwise harmless association is removed from your account. It is impossible to get ahold of anyone at Google if you are not an enterprise customer. Just forget about it and do nothing.

As usual, the expected Google Clown Platform support.

FWIW, 3 months ago they shutdown my servers for some minor issue and I'm only able to get them to reactivate after a week.

Source: https://news.ycombinator.com/item?id=35133917

Surely there should be a way for an owner of a group to revoke these permissions. I am not familiar with the tech though.

If it is not too much hassle I would create a new group, switch to it and delete the old one. This is just one of many reasons corps add prefixes to their naming conventions in the cloud.

I would not go down the path of contacting the companies. You have to see it from their point of view when it comes to security and legal processes. Just because you know that you have not done anything wrong does not mean anything for how they will proceed. They will start from the objectives. Somebody has access to our stuff.

At my previous job i brought credentials leakage to higher ups attention but it went unfixed for a year. Nothing to gain Other than wasting our time.

If there's no way to contact them then I'd probably just delete their stuff altogether. What are they gonna do, contact google support? :-)

UPDATE: I have just submitted a bug bounty request

That would really help my career and life if I get that!

I won’t do anything with the accounts I accidentally have access to

Just to better understand, was it a "generic enough" Google Group name that people used its name in the policy thinking they were granting access to their own "google cloud administrators"? Or were people/companies actively part of that Google Group you created?

Yes exactly, it’s a group with just a generic name I made many years ago…

I'm surprised anyone would ever use Google Cloud Platform after reading this. No support at all? AWS blows them out of the water because they value customer support, I guess.

Update #3 Got an honorable mention from Google Bug Hunters

They said they’re gonna see if it’s worth fixing and will get back to me. They didn’t award a bug bounty, but I’ll take the kudos.

Almost as funny as naming your kid "delete from users".

Be very careful. Even though you're trying to do The Right Thing don't alert these companies to the fact you've been accessing their accounts without permission.

I'm seeing a lot of these kinds of comments, and think this might just be an American worry (because it's such a litigious place)?

People in the Netherlands and England where I also lived for a short while, are pretty chill with these kinds of things. I can't imagine them doing anything other than thanking you profusely.

I mention this because I'd rather this kind of attitude wasn't imported to Europe.

For me it's a Google worry. I'd be terrified they'd delete my Google (Gmail) account with no way to recover.

I’m not American and live in the UK.

Lawyers aren’t chill about anything, and it could be financially ruinous to try find out.

I was under the impression that the key concern here is being criminally prosecuted, not sued. Even if they obviously didn't do this on purpose, depending on how they communicate it to the companies involved, the worse case scenario is that it could be perceived as some kind of phishing attack / fakeout done with malicious intent. Even if they could prove their innocence, no one wants to deal with something scary like that in court.

While I'm not familiar with the nuances of each European nation's computer fraud laws regarding this, I can't imagine this would be any different there. Especially as Cybersecurity becomes an increasingly international concern.

> People in the Netherlands and England where I also lived for a short while, are pretty chill with these kinds of things.

Imagine that, at 5pm on Friday, you discover your IT system has been the target of a huge hack, possibly by russians or north koreans, that they got access to everything, it's been going on for months, and it's certainly a notifiable breach under GDPR.

Would you be chill?

I can say from experience, many people call the cops and lawyers first, and only find the support ticket that first-level support fobbed off with a canned response much later.

Not sure what support could do for you that you could not do yourself, ie: undertake to degrade the 'years ago group' and alert responders as needed.

Good call, the problem is I use the group for my own projects…

I will painstakingly change that to not use groups and then delete the group if it lets me

It’s just kinda stupid people are allowed to just add my group with my group not even confirming

Seems like nothing support could do that you could not do yourself, ie: degrade the 'years ago group' and assist responders as needed.

Shouldn't you contact the org that added your account? This is much more a config issue / user error than a Google bug.

Just be careful y'all. Even though something is a bug or a mistake you could get in bigtime shit over it, or a bill.

GCloud security is horrible. It's like they designed the whole thing to be insecure by default. Coming from AWS, the amount of permissions they give by default in the most commonly-used roles is insane. They also seem to lack some functionality necessary to make fine-grained access permissions to access some of their advertised features. It's really crazy.

Ask them to increase "your" GPU quota by 100x. That should surely be enough of a red flag.

I think you can reach them on their forum as well, for example https://www.googlecloudcommunity.com/gc/Security/Welcome-to-....

Most of those "community" forums are not monitored by actual staff. Google uses "communities" as a way to get free tier one support out of the community, and to save even more money they just never bothered with any tiers beyond that.

Perhaps if you have IAM you can see their users and then email them.

I have hard times feeling any sympathy for these companies. When you trust an ad company like Google what did you expect? Maybe Google will shutdown this product and fix the secuity hole in the process.

Knowing the byzantine ways of Google support, I wouldn't be surprised if Google's reaction to this would be to ban the account of everyone involved in this episode.

Google should shut down Cloud because they allow groups to be added to IAM?

That’s an interesting take.

Fair enough, but it's also worth noting that this mistake is difficult to make in AWS. You can do it, but you have to be so explicit about what you're doing that I can't imagine anyone managing it accidentally.

The system is broken if this has happened _multiple_ times to this guy.

I think you misinterpreted OP. He is making a pun with the widespread beliefs that

a) Google doesn't care about giving user support for their products even if you pay

b) Over a not-so-long time the survival rate of every Google product seems to drop to zero unless it is related to search and ads.

So, the joke is that the problem would solve itself when google predictably kills this product.

I’m not sure that’s a pun. But on re-read I am seeing the humor. On my first read I just saw the tired vitriol, “google == bad”.

What it’s doing is actually useful, using a group to easily add people to roles is great

Not making the group do confirmation, or even acknowledging the addition is super stupid

Maybe you could get thousands of dollars big bounty!

that is hilarious

if you have access to the DB, create a collection/table with a warning/contact info

Perhaps related to this bug which Google has known about for 12 years, and is potentially in breach of GDPR? https://issuetracker.google.com/issues/35889152

for g in * do wget g; done;

Ok, ok, I see people downvoting this, so I'm correcting myself:

for g in * do wget --recursive "g"; done;

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact