GhostToken Flaw May Let Attackers Conceal Malicious Apps in Google Cloud Platform

Apr 21, 2023Ravie LakshmananCloud Safety / Vulnerability

Cybersecurity researchers have disclosed particulars of a now-patched zero-day flaw in Google Cloud Platform (GCP) that would have enabled risk actors to hide an unremovable, malicious software inside a sufferer’s Google account.

Dubbed GhostToken by Israeli cybersecurity startup Astrix Safety, the shortcoming impacts all Google accounts, together with enterprise-focused Workspace accounts. It was found and reported to Google on June 19, 2022. The corporate deployed a global-patch greater than 9 months in a while April 7, 2023.

“The vulnerability […] permits attackers to achieve everlasting and unremovable entry to a sufferer’s Google account by changing an already licensed third-party software right into a malicious trojan app, leaving the sufferer’s private knowledge uncovered eternally,” Astrix said in a report.

In a nutshell, the flaw makes it attainable for an attacker to cover their malicious app from a sufferer’s Google account application management page, thereby successfully stopping customers from revoking its entry.

That is achieved by deleting the GCP project related to the authorized OAuth application, inflicting it to go in a “pending deletion” state. The risk actor, armed with this functionality, may then unhide the rogue app by restoring the venture and use the entry token to acquire the sufferer’s knowledge, and make it invisible once more.

“In different phrases, the attacker holds a ‘ghost’ token to the sufferer’s account,” Astrix stated.

The form of knowledge that may be accessed relies on the permissions granted to the app, which the adversaries can abuse to delete recordsdata from Google Drive, write emails on the sufferer’s behalf to carry out social engineering assaults, monitor areas, and exfiltrate delicate knowledge from Google Calendar, Photographs, and Drive.

“Victims could unknowingly authorize entry to such malicious functions by putting in a seemingly harmless app from the Google Market or one of many many productiveness instruments accessible on-line,” Astrix added.

“As soon as the malicious app has been licensed, an attacker exploiting the vulnerability can bypass Google’s “Apps with entry to your account” administration function, which is the one place the place Google customers can view third-party apps related to their account.”

Google’s patch addresses the issue by now displaying apps which are in a pending deletion state on the third-party entry web page, permitting customers to revoke the permission granted to such apps.

The event comes as Google Cloud fastened a privilege escalation flaw within the Cloud Asset Stock API dubbed Asset Key Thief that might be exploited to steal user-managed Service Account non-public keys and achieve entry to invaluable knowledge. The problem, which was found by SADA earlier this February, was patched by the tech big on March 14, 2023.

The findings come a bit of over a month after cloud incident response agency Mitiga revealed that adversaries may benefit from “inadequate” forensic visibility into GCP to exfiltrate delicate knowledge.