Astrix Security, the enterprise’s trusted solution for securing non-human connections and identities, has discovered a 0-day flaw in Google Cloud Platform (GCP). The vulnerability, dubbed “GhostToken,” allows attackers to gain permanent and unremovable access to a victim’s Google account by converting an already authorized third-party application into a malicious trojan app, leaving the victim’s personal data exposed forever. This may include data stored on victim’s Google apps, such as Gmail, Drive, Docs, Photos, and Calendar, or Google Cloud Platform’s services (BigQuery, Google Compute, etc.). Any Google account is a potential target of this vulnerability, which includes Google Workspace’s three billion users. Astrix disclosed the bug in June 2022, and a patch was rolled out by Google in April 2023.
The 0-day vulnerability was discovered by Astrix Security Research Group during a routine analysis process, where an API call returned an unusual result. Further investigation unveiled a flaw that makes it possible to hide a third-party application so the account owner is unable to revoke its access or even know it exists. Depending on the permissions granted to the malicious third-party app, the attacker may have access to the victim’s private Gmail correspondence and personal files on Google Drive. Threat actors may even impersonate the victim to launch social engineering attacks.
Victims may unknowingly authorize access to such malicious applications by installing a seemingly innocent app from the Google Marketplace or one of the many productivity tools available online. Once the malicious app has been authorized, an attacker exploiting the vulnerability can bypass Google’s “Apps with access to your account” management feature, which is the only place where Google users can view third-party apps connected to their account.
“Google has become the default that so many of us use in our daily lives, and to manage our businesses. That’s why imagining a hacker sitting directly within those Google accounts, observing personal information and schedules, sensitive business intel, or employee information is so concerning. It not only leaves individual Google users continuously vulnerable, it also has the potential to significantly harm enterprise security,” said Alon Jackson, Astrix CEO and co-founder. “We are very proud of our top-notch research team, who exercised their curiosity and sense of responsibility to uncover this critical flaw, and who continue to demonstrate their expertise every day. As connectivity with third-party apps continues growing exponentially, so does the number of non-human identities. We’re working diligently to protect this daunting and extending attack surface.”
In today’s hyper-connected workspace, employees are freely and independently integrating cloud services and APIs into core business applications such as Google Workspace – all in an effort to boost productivity and efficiency. Whether that be an online meeting app for your calendar or an email organization app, employees who inadvertently grant access to a malicious app may be handing over the keys to sensitive and critical enterprise data, actions that have potentially hazardous implications, as recently seen through the crippling attacks on GitHub, Slack, CircleCI and Microsoft.
“At Astrix, we spend most of our time researching how cloud platforms like Google allow connection with third-party apps, analyzing the technical integration flows,” said Tal Skverer, Astrix Research Team Lead. “So when we noticed the unusual result in Google’s API, it rang alarm bells, and we were able to discover this potentially devastating vulnerability. It is because of exploits like GhostToken that our strongest recommendation for enterprises is to secure non-human connections and identities, such as API keys, OAuth tokens, and service accounts, the same way they secure user credentials.”
