Cross-Tenant Data Access via Confused Deputy in Cloud Service

Summary

A confused deputy vulnerability was identified in Example Cloud’s managed service that allowed cross-tenant data access. The vulnerability existed in the service’s control plane where tenant isolation was not properly enforced during service account operations.

Technical Details

The vulnerability stems from improper validation of tenant context when the managed service performs operations on behalf of users. When a service account executes privileged operations, the control plane failed to verify that the requesting tenant had authorization to access the target resources.

Root Cause

The service’s internal API accepted tenant identifiers from user-controlled input without validating that the authenticated session belonged to the specified tenant.

1
2
3
4
5
6
7

# Vulnerable code pattern
def get_resource(request):
    tenant_id = request.headers.get('X-Tenant-ID')  # User-controlled
    resource_id = request.params.get('resource_id')
    
    # Missing: Verify request.user belongs to tenant_id
    return fetch_resource(tenant_id, resource_id)

Exploitation

An attacker with valid credentials to any tenant could:

1. Authenticate to the service with their legitimate credentials
2. Modify the tenant identifier in API requests
3. Access resources belonging to arbitrary tenants

Affected Versions

Remediation

The vendor implemented proper tenant context validation at the API gateway level, ensuring that all requests are validated against the authenticated session’s tenant before processing.

Organizations using affected versions should:

1. Update to the latest patched version immediately
2. Review access logs for suspicious cross-tenant access patterns
3. Rotate any potentially compromised credentials

Acknowledgments

This vulnerability was discovered and reported through coordinated disclosure with CERT/CC.