No IP, No Problem: Exfiltrating Data Behind IAP
Ariel Kalman
Cloud Village @ DEF CON 33 · Day 1 · Cloud Village
In a compelling presentation at Cloud Village, Ariel Kalman, a Security Researcher at Mitiga, unveiled a novel data exfiltration technique targeting Google Cloud Platform's (GCP) **Identity-Aware Proxy (IAP)**. Titled "No IP, No Problem: Exfiltrating Data Behind IAP," the talk demonstrated how specific misconfigurations and an often-misunderstood security setting within IAP can be abused to bypass stringent network controls and extract sensitive information from otherwise isolated environments. This research is particularly significant for organizations heavily relying on IAP to secure their applications, as it exposes a stealthy channel for data egress that circumvents traditional firewall rules and access management.
AI review
Kalman found a real, specific, underappreciated attack surface in GCP IAP and built a coherent kill chain around it. The `allow HTTP options` bypass isn't a theoretical flaw — it's a misconfiguration that exists in production environments right now, and the exfiltration mechanics are clever enough that most defenders won't have detection coverage for it. Minor reservations around attack complexity and data throughput ceiling, but this is genuine cloud security research.