Google 'ignored warnings over security vulnerabilities on its Java cloud platform', claim security researchers

Security Explorations claims Google suspended its account after investigating the security of Google App Engines for Java

A Polish security company has uncovered what it claims are vulnerabilities in Google App Engines for Java - flaws that, it adds, the internet giant has so far failed to acknowledge.

The flaws were released by the company, Security Explorations, on Friday to the Full Disclosure security list, after it claimed that Google had ignored its warnings. That followed a series of run-ins at the end of 2014, when Google suspended the company's access to Google's Java platform over the company's security research.

"It's been three weeks and we haven't heard any official confirmation/denial from Google with respect to [the issues]. It should not take more than one or two business days for a major software vendor to run the received proof of concept, read our report and/or consult the source code," claimed the company in its Full Disclosure posting.

Security Explorations claims that the way in which Google has responded undermines its claim that it reacts promptly to all reports of security vulnerabilities in its products, services and platforms.

The company claims that the vulnerabilities encompass a Java security sandbox bypass. "Google App Engine for Java is a platform-as-a-service (PaaS) cloud computing platform from Google that enables for arbitrary Java applications development and hosting in the company's managed data centres," claims the technical report produced by Security Explorations.

It continued: "Instead of playing a catch and mouse game with Google, we decided to inform the public about the existence of our Google App Engine project and reveal some brief information about the results obtained so far."

Back in December and January, Security Explorations claims that it uncovered 21 initial issues "in a Google App Engines environment" and that by mid-January it had uncovered an additional 10 issues. Overall, Security Explorations claims to have uncovered more than thirty security issues with the Google App Engines platform.

"The irony is that all of the bugs reported to Google so far were specific to the 'extra security' layer implemented on top of JRE [Java runtime environment] that aimed to protect Google App Engines against... security vulnerabilities in Java," claimed the company.