Google accounts attacked and hijacked by this devious security flaw

News
By Sead Fadilpašić
published

Invisible apps gave perma access to Google user data

Digital clouds against a blue background.
(Image credit: Shutterstock / Blackboard)

Google’s Cloud Platform (GCP) was vulnerable to a zero-day flaw that allowed threat actors access to people’s accounts, and all the data found there (Gmail, Drive, Docs, Photos, and more), researchers are saying.

Experts from Astrix Security found that a threat actor could create a malicious Google Cloud Platform app, and advertise it either via the Google Marketplace, or third-party providers.

If a user installs the app, authorizes it, and links it to an OAuth token, they’d give the attackers access to their Google account.

Hiding the app from the victims

The threat actors could then make the app invisible, and hide it from Google’s application management page, making it impossible for the victims to address the vulnerability. The method of “hiding” the app is where the zero-day lies - by deleting the linked GCP project, the attackers would make the app enter a “pending deletion” state, and thus make it invisible on the application management page.

"Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account," the researchers said.

Read more

> Google Cloud apparently has a security issue even firewalls can't stop

> Google Cloud storage may not be as secure as we'd all hope it is

> Here's our list of the best identity theft protection tools around

Then, whenever the attackers saw fit, they’d be able to restore the project, get a fresh token, and retrieve the data from the victim’s account. What’s more - they could be able to do this indefinitely. "The attacker on the other hand, as they please, can unhide their application and use the token to access the victim's account, and then quickly hide the application again to restore its unremovable state. In other words, the attacker holds a 'ghost' token to the victim's account."

Astrix called the flaw - GhostToken. 

It’s also important to mention that the impact of the flaw depends heavily on the permissions the victims give the malicious apps.

The vulnerability was discovered in the summer of 2022 and was addressed in April of this year. Now, GCP OAuth applications pending deletion still appear on the “Apps with access to your account” page.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.