[Google VRP] Privilege escalation on https://dialogflow.cloud.google.com
Hi.
This is a short story (because I’m lazy, yes) about my last bug for Google VRP.
While testing the privilege escalation problems on https://dialogflow.cloud.google.com/ I noticed that downgrading the access level for the invited user does not work as expected.
Steps to reproduce:
1. Go to https://dialogflow.cloud.google.com/#/editAgent/{project}/ settings -> Share -> invite another user with “Developer” role.
2. Downgrade “Developer” role to “Reviewer” and apply changes.
3. Observe that although the changes have been applied and the role is “Reviewer” now, but the user can still perform all actions as “Developer”.
But why?
I went to https://console.cloud.google.com/iam-admin/ and saw that roles and assignments of invited users for https://dialogflow.cloud.google.com/#/editAgent/{project}/ not changing properly. When access level are changed, the permissions do not change (“Developer” -> “ Reviewer “), but adding to each other (“ Developer “+” Reviewer “).
Timeline :
- Apr 6, 2021 reported
- Apr 7, 2021 triaged
- Apr 16, 2021 Nice catch!
- Apr 22, 2021 Awarded $3133.70
- Jun 13, 2021 Fix