https://hackingpassion.com/tags/cloud-security/Recent content in Cloud Security on HackingPassion.com : root@HackingPassion.com-[~]HugoenTue, 23 Jun 2026 12:12:16 +0200https://hackingpassion.com/configconfusion-google-no-bounty/Tue, 23 Jun 2026 12:12:16 +0200https://hackingpassion.com/configconfusion-google-no-bounty/<p>Google told a security researcher his bug was a nice catch, lined up his payout, then eleven days later called it harmless and refused to pay a cent. The flaw he reported lets anyone with basic Kubernetes access take over a complete Google Cloud organization in about five seconds, with three lines of text and no special permissions at all. Months on, it still is not fixed. He named it <strong>ConfigConfusion</strong>.</p>https://hackingpassion.com/google-api-key-23-minutes/Sat, 23 May 2026 15:04:37 +0200https://hackingpassion.com/google-api-key-23-minutes/<p>Google tells you the key is gone. It keeps working for <strong>23 more minutes</strong>. When you delete a Google API key, a dialog appears that says the following: <em>&ldquo;Once deleted, it can no longer be used to make API requests.&rdquo;</em> That is the message. It is printed there by Google, presented as fact at the exact moment you think the risk is gone. It is not true.</p> <p>Security researcher <strong>Joe Leon</strong> at <strong>Aikido Security</strong> spent two days testing what actually happens after a key is deleted. He created keys, deleted them, and kept firing authenticated requests at Google&rsquo;s servers at three to five per second until no valid response came back. He ran ten separate trials. The shortest window before a deleted key fully stopped working was nearly <strong>eight minutes</strong>. The median was <strong>sixteen minutes</strong>. The longest was just under <strong>twenty-three minutes</strong>. During all of that time, the key was authenticating successfully on Google&rsquo;s infrastructure. A deleted key. Still working.</p>https://hackingpassion.com/bing-rce-cve-2026-33819/Sat, 25 Apr 2026 11:10:39 +0200https://hackingpassion.com/bing-rce-cve-2026-33819/<p><strong>Bing had a CVSS 10.0 vulnerability</strong> in its backend infrastructure, the same infrastructure that powers Edge, Windows Search, and Copilot integrations across Microsoft&rsquo;s ecosystem. Microsoft fixed it on March 10 without saying a word publicly. The CVE showed up six weeks later, on April 23. Nobody outside the company knew this had been sitting in the infrastructure that hundreds of millions of people use every day.</p> <p>The CVE number is <strong>2026-33819</strong>. The vulnerability class is <strong>deserialization of untrusted data</strong>, and the idea behind it is simpler than it sounds.</p>https://hackingpassion.com/voidlink-ai-malware/Wed, 21 Jan 2026 15:24:02 +0100https://hackingpassion.com/voidlink-ai-malware/<p>One developer just built 88,000 lines of advanced malware in six days using AI. A single person with an AI coding assistant created a framework sophisticated enough to target AWS, Azure, Google Cloud, Alibaba, Tencent, Kubernetes pods, and Docker containers. 🧐</p> <p>Check Point revealed VoidLink on January 20, 2026. A Linux malware framework designed to compromise cloud infrastructure. The malware detects where it runs and changes its behavior based on what it finds.</p>https://hackingpassion.com/aws-supply-chain-vulnerability/Sat, 17 Jan 2026 13:49:16 +0100https://hackingpassion.com/aws-supply-chain-vulnerability/<p>Netflix. Twitch. iCloud. The servers of the CIA and NSA. 30% of all cloud infrastructure worldwide runs on Amazon Web Services. Two missing characters in a regex filter nearly compromised all of it. 😬</p> <p>A <code>^</code> at the start and a <code>$</code> at the end. That&rsquo;s what was missing from a security filter, and that&rsquo;s all it would have taken for attackers to inject malicious code into the AWS JavaScript SDK.</p>