Cybersecurity researchers have revealed details of a zero-day flaw in Google Cloud Platform (GCP) that could have allowed threat actors to hide a malicious, non-removable application inside a victim’s Google Account.
named GhostToken from Israeli cybersecurity startup Astrix Security, the flaw affects all Google accounts, including enterprise-focused Workspace accounts. It was discovered and reported to Google on June 19, 2022. The company rolled out a global patch more than nine months later, on April 7, 2023.
“Vulnerability […] allows attackers to gain permanent and unremovable access to a victim’s Google Account by turning an already authorized third-party app into a malicious Trojan app, leaving the victim’s personal data exposed forever,” Astrix said in a report.
Simply put, the flaw makes it possible for an attacker to hide their malicious app from the app management page of a victim’s Google account, thereby preventing users from revoking their access.
This is achieved by deleting the GCP project associated with the authorized OAuth application, causing it to be in a “pending deletion” state. The threat actor, armed with this capability, could expose the rogue application by restoring the project and use the access token to obtain the victim’s data and render it invisible.
“In other words, the attacker has a ‘ghost’ token on the victim’s account,” Astrix said.
The type of data that can be accessed depends on the permissions granted to the app, which adversaries can abuse to delete Google Drive files, write emails on behalf of the victim to perform social engineering attacks, track locations and extract sensitive data from Google. Calendar, Drive, Photos and other apps.
“Victims can unknowingly authorize access to these malicious apps by installing a seemingly innocent app from the Google Marketplace or one of the many productivity tools available online,” Astrix added.
“Once the malicious app is authorized, an attacker exploiting the vulnerability can bypass Google’s ‘Apps with access to your account’ management feature, which is the only place Google users can see third-party apps connected to your account”.
Google’s patch fixes the issue by now also showing apps that are in a pending removal status on the third-party access page, allowing users to revoke the permission granted to those apps.
The development comes as Google Cloud fixed a privilege escalation flaw in the cloud asset inventory API called Asset Key Thief that could be exploited to steal user-managed service account private keys and access to valuable data. The problem, which was discovered by SADA earlier this February, was fixed by the tech giant on March 14, 2023.
The findings also come just over a month after cloud incident response company Mitiga revealed that adversaries could exploit GCP’s “insufficient” forensics visibility to exfiltrate sensitive data.
Google Cloud Platform is a powerful and scalable service for hosting web applications, but recent research has revealed a flaw within the popular GhostToken app that could let malicious attackers hide their apps within the platform. In response to these findings, Ikaroa, a full stack tech company, has released an update for their GhostToken app which should provide users with additional security against this threat.
The cyber security risk was discovered by a team from the Cyber Security Working Group at the University of Illinois. According to their research, GhostTokens can grant access to Google Cloud Platform resources through the use of tokens that typically expire after 30 days. However, the team found a way to use GhostTokens to create virtual user accounts on the platform that would stay active beyond the 30 day expiration limit, granting attackers a way to use the platform for malicious purposes.
To mitigate this security risk, Ikaroa has released an update to their GhostToken application. The company has implemented new security features, such as two-factor authentication, which should prevent malicious actors from accessing Google Cloud Platform resources through the use of GhostTokens. In addition, Ikaroa has also removed the ability to create virtual user accounts with GhostTokens and has implemented additional measures to limit the amount of time for which a token may be used.
Although the security risk posed by GhostToken does not represent a major threat to the safety of cloud users, it is important to be aware of the potential for malicious actors to exploit the service in order to gain access to valuable resources. Fortunately, Ikaroa has taken the necessary steps to address the problem, making the Google Cloud Platform experience safer for all users.