Redirecting a Pub/Sub push endpoint: the event stream becomes a tap

Pub/Sub and Eventarc deliver your event streams to push endpoints, and whoever can edit a subscription controls where those events go. Re-point the endpoint and the stream becomes a tap.

How the attack works

An attacker with Pub/Sub or Eventarc edit rights changes a push subscription’s endpoint to an attacker-controlled URL. Cloud Audit Logs record a pubsub.subscriptions.update modifying the pushConfig endpoint to a host that is not the declared internal consumer, made by a principal outside the IaC pipeline. The subscription’s OIDC push auth is reconfigured to follow, so delivered events carry a token to the attacker endpoint. Newly published messages divert to the attacker, siphoning order and record payloads off the legitimate consumer for as long as the endpoint stays redirected. In ATT&CK terms this is T1098, Account Manipulation, with T1530, Data from Cloud Storage, and T1119, Automated Collection.

Why it works

The attacker could edit subscription endpoints and Eventarc triggers project-wide. The diversion lives in the subscription configuration, so the legitimate pipeline appears to keep delivering while the stream is quietly mirrored.

How to fix it

Stopping publishers breaks the legitimate consumer too, and the moment publishing resumes the still-redirected endpoint resumes siphoning. The push endpoint is the tap, so restore the legitimate endpoint or delete the rogue subscription or trigger, then lock Pub/Sub and Eventarc edit IAM so it cannot be re-pointed. Manage endpoints through IaC and alert on push-endpoint modifications. Scope what was diverted by bounding the window with the change and restore timestamps, then enumerating messages from delivery metrics and topic Data Access logs.

Practice it

We built this as a GraphLattice Range scenario so teams can rehearse the endpoint redirect, the restore-and-lock containment, and the IaC-managed-endpoint fix.