Google Cloud Platform (GCP) was vulnerable to a zero-day vulnerability that allowed cybercriminals to access people’s accounts and all the data there (Gmail, Drive, Documents, Photos, and more), researchers say.
Astrix Security experts discovered that a cybercriminal could create a malicious Google Cloud Platform application and advertise it through Google Marketplace or third-party vendors.
If the user installs the application, authorizes it and connects it to the OAuth token, it will give the attacker access to his Google account.
Hide apps from victims
The threat actors can then make the application invisible and hide it from Google’s application management page, preventing victims from fixing the vulnerability. The method of “hiding” the app lies where day zero lies – by deleting the associated GCP project, the attackers would put the app in a “pending deletion” state and thus make it invisible on the app’s management page.
“Since this is the only place Google users can view their apps and revoke access, the exploit is malicious (opens in a new tab) undeletable app from your Google account,” the researchers said.
Then, when the attackers see fit, they can restore the project, get a new token, and download data from the victim’s account. What’s more – they could do it indefinitely. “On the other hand, an attacker could at their discretion discover their app and use the token to access the victim’s account, then quickly hide the app again to restore it to an undeletable state. In other words, the attacker is holding a “ghost” token to the victim’s account.”
Astrix named this flaw – GhostToken.
It should also be mentioned that the impact of the vulnerability depends largely on the permissions victims grant to malicious applications.
The vulnerability was discovered in the summer of 2022 and fixed in April this year. Now pending removal of GCP OAuth apps still appear on the “Apps with access to your account” page.
- Here is our roundup of the best firewalls (opens in a new tab) over there
By: Beeping Computer (opens in a new tab)