A severe zero-day vulnerability, identified as the “GhostToken” flaw, could allow an adversary to infect a target Google Cloud with malicious apps. Google patched the flaw before public disclosure.
GhostToken Zero-Day Vulnerability In Google Cloud
As elaborated in a recent post from Astrix Security, the GhostToken zero-day vulnerability could allow infecting the target Google Cloud with malicious apps.
Specifically, the flaw affected the Google account application management page – the option allowing users to review the apps in use. An adversary could connect malicious apps to the account, and hide them permanently from the user. As a result, the respective Google account’s user could never know the presence of the malicious app, inadvertently continuing to use an infected account.
Briefly, the flaw exists due to how an app connects to a Google account via a token. As the researchers explained, an app gains the access token to the respective account right after the Google user installs it from the Google Marketplace.
Regarding how they came across the issue, the researcher stated,
“While running our usual analysis process, a
tokens.list
API call had returned an odd result – a token of an OAuth application which had itsdisplayText
identical to theclientId
field.
The researchers found the reason behind the weird displayText
field behavior being the deletion of an OAuth application client. They then became curious about what would happen to the access token if they restore the app scheduled for deletion. (Google allows restoring an app scheduled for deletion within 30 days.)
They noticed that the refresh token, created before initiating the deletion, became re-enabled following the restoration. Eventually, they could use this refresh token to get the access token that they could exploit to access the respective Google account.
Hence, they deduced that someone with malicious intentions could easily delete and restore their malicious app to maintain stealthy yet persistent access to the victim’s Google account to steal sensitive data.
Google Patched the Vulnerability
According to the researchers, an adversary could exploit GhostToken vulnerability to access sensitive information from the target account’s Google Drive, Calendar, Photos, Google Docs, Google Maps (location data), and other Google Cloud Platform services.
Upon discovering the flaw, they reported the matter to Google in June 2022. While Google acknowledged the flaw in August 2022, it took them all the while until April 2023 to release a patch.
Still, Google managed to release the fix before the bug could suffer active exploitation. The patch includes showing the OAuth app tokens for apps scheduled for deletion in the users’ app management option.
Though the tech giant has released the fix, Google users must also review their accounts for any unrecognized apps. Also, users should ensure to provide minimal access permissions to third-party apps as a precaution.
Let us know your thoughts in the comments.