No IP, No Problem: Exfiltrating Data Behind IAP
Ariel Kalman
fwd:cloudsec North America 2025 · Day 1 · Track 2 - Crestone
Ariel Kalman, a senior security researcher at Mitiga, presented a novel data exfiltration technique that abuses Google Cloud Platform's **Identity-Aware Proxy (IAP)** to smuggle secrets out of restricted environments without sending a single packet directly from the internal attacker to the external attacker. The attack leverages a specific IAP setting called **"Allow HTTP OPTIONS"** -- designed to support CORS preflight requests -- in combination with **App Engine version deployments** to embed secrets in the `Access-Control-Allow-Origin` response header, which is returned to unauthenticated external HTTP OPTIONS requests. The technique was disclosed to GCP, who acknowledged it as expected behavior and updated documentation to highlight the risk but declined to change the service architecture.
AI review
A clean, creative exfiltration technique that abuses the intersection of IAP's CORS preflight exception and App Engine deployment capability to create a covert channel through HTTP response headers. The attack requires no direct network connectivity between internal and external attacker, the exfiltration channel is invisible in logs (only the version deployments are logged), and GCP declared it expected behavior. This is the kind of elegant abuse of legitimate functionality that makes cloud security interesting.