New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations in the way different web servers or intermediaries, such as load balancers and proxies handle HTTP request sequences.

By creating malicious HTTP requests that exploit these inconsistencies, an attacker can control the order in which requests are processed, possibly resulting in unauthorized access, circumvention of security controls, session hijacking, or injection of malicious content into responses meant for other users.

This flaw is based on differences in the interpretation of start and end points for HTTP requests, which helps the server process them incorrectly.

Cybersecurity researchers at BugCrowd recently in a collaborative effort by Paolo Arnolfo (@sw33tLie), a hacking enthusiast passionate about server-side vulnerabilities, Guillermo Gregorio (@bsysop), a dad superhero and skilled hacker, and █████ (@_medusa_1_), a stealthy genius unveiled key insights about HTTP Request Smuggling.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

New TE.0 HTTP Request Smuggling

While cloud hosting offers security benefits, unknown HTTP Request Smuggling vectors can still pose significant threats. 

A recent discovery affected thousands of Google Cloud-hosted websites using their Load Balancer, compromising various services, including Identity-Aware Proxy. 

Researchers employ differential testing tools like http-garden for local servers and “spray-and-pray” techniques on bug bounty programs for cloud infrastructures to uncover such vulnerabilities. 

Tools like bbscope can generate extensive target lists for vulnerability research, highlighting that HTTP Request Smuggling remains a widespread and under-researched security issue.

TE.0, a new HTTP request smuggling variant, was discovered to be affecting Google Cloud’s Load Balancer.

The technique, which is similar to the CL.0 variant but uses Transfer-Encoding, enabled mass 0-click account takeovers on susceptible systems.

Attack flow (Source – BugCrowd)

It affected thousands of targets, including those protected by Google’s Identity-Aware Proxy (IAP), and it was widespread among Google Cloud-hosted websites that were set to default HTTP/1.1 rather than HTTP/2.

This discovery shows how HTTP Request Smuggling techniques keep evolving and why constant security research is crucial in cloud infrastructures.

TE.0 HTTP Request Smuggling vulnerability affected Google’s Load Balancer and compromised Google Identity-Aware Proxy (IAP), a key feature of Google Cloud’s Zero Trust security.

This flaw made it possible to bypass the strict authentication and authorization measures of IAP consequently violating its principle “never trust, always verify.”

The flaw allowed site-wide redirects as well as malicious use of application-specific widgets which could have led to severe security breaches.

All TE.0 attacks were able to evade IAP protection though not all had serious consequences.

Google admitted this after initial reporting challenges, demonstrating that fixing loopholes in cloud infrastructure is a complex problem.

Here below we have mentioned the disclosure timeline:-

Disclosure timeline (Source – BugCrowd)

Google Cloud’s infrastructure was discovered to have a significant vulnerability due to persistent attempts to hack through the web application by using HTTP request smuggling techniques.

Research motivated by curiosity which resulted in a big check and a lesson that cyber security highlighted the value of creative thinking.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

18 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago