Astrix Security researchers have discovered a security vulnerability in Google’s Cloud Platform (GCP), which could have allowed cyberattackers to conceal a malicious application within a victim’s Google account. The bug, dubbed “GhostToken,” would have resulted in the victim’s account being permanently and undetectably infected. According to an analysis by the research team, the malicious app could have enabled attackers to access the victim’s Gmail, Google Drive, Google Photos, Google Calendar, and Google Maps data. Armed with this information, attackers could have executed highly convincing impersonation and phishing attacks or even put the victim in physical danger. In some cases, attackers may have been able to delete files from Google Drive, write emails from the victim’s Gmail account, exfiltrate sensitive data from Google Calendar, Photos, or Docs, and more.
An App That ‘Ghosts’ the Victim
The Google Cloud Platform is designed to host thousands of applications for end-users. These applications can be easily downloaded from the Google Marketplace or third-party markets. When authorized for download, the application receives a token that grants access to the installer’s Google account based on the app’s requested permissions. However, cyber attackers can exploit the GhostToken vulnerability to plant a malicious application in one of the app stores, masquerading as a legitimate utility or service. Once downloaded, the malicious app can hide itself from the victim’s Google account application management page, making it unremovable from the Google account. The attacker can use the token to access the victim’s account and then quickly hide the application again to restore its unremovable state. This vulnerability could have far-reaching consequences for both businesses and individuals and serves as a reminder of the danger that shadow IT can pose for enterprises. The issue generally arose from the way Google processes OAuth clients when they’re decommissioned. If the owner of the GCP project deletes it, it enters a “limbo-like, pending deletion state,” and it “stays that way for 30 days until it’s fully purged and deleted.” Pending-deletion projects can be completely restored at the owner’s whim from a dedicated page made for that purpose, but for end-users, the app immediately disappears from the “apps with access to your account” management page.
The attack scenario goes like this:
• A victim authorizes a seemingly legitimate (but, in reality, evil) OAuth application. In the background, the attacker receives a token for the victim’s Google account. • The attackers delete the project associated with the authorized OAuth application, which enters a pending deletion state — the application becomes hidden and unremovable from the victim’s perspective. • Whenever the attackers wish to get access to the victim’s data they restore the project, get a new access token, and use it to access the victim’s data. • The attackers then immediately re-hide the application from the victim. • To maintain persistence, the attack loop must be executed periodically before the pending-deletion project is purged.
“During Step 2 of the attack loop, the access re-appears in the ‘Apps with access to your account’ page, which means the victim may technically remove the application’s access in this time window,” the researchers explained. “However, it’s a very limited time frame which lasts until the attacker executes Step 1 of the attack loop again.”
Eternal Battle of Usability & Security
According to Gour, the vulnerability discovered was unusual because it related to a core feature that was functioning as intended, providing developers with flexibility while keeping the user experience simple. Typically, vulnerabilities can be patched and the system can continue operating, but in this case, it was a core feature of GCP that allowed users to revert to previous actions. While this feature is helpful, it can also be exploited with a straightforward approach to compromise the identity and access management done by third-party integrations like OAuth. The bug highlights the tension between usability and security that is present in enterprise environments. Gour emphasizes the importance of considering security and usability from the design phase and balancing the value of a feature for users with its security implications, particularly when it comes to cloud security and the private information of many people. Ultimately, it is easier to address these issues before implementation than after many users are already using the system.
Ghost No More: Mitigation & a Patch
Earlier this month, Google rolled out a global patch, fixing the issue by making sure that apps in a pending deletion state are still visible in a user’s app management screen. However, Astrix researchers warned that while they aren’t aware of active exploitation, Google Workspace administrators should look for applications that may have attacked users before the patch was initiated on April 7. This can be done in two ways, the researchers said:
- Looking for applications whose client ID is the same as the ‘displayText’ field and removing their access if they prove to be malicious;
- Or inspecting the OAuth log events in the “Audit and Investigation” feature of Google Workspace for token activity of any such apps.
Go to Source
Author: Tara Seals, Managing Editor, News, Dark Reading