A zero-day vulnerability dubbed “GhostToken” could let threat actors gain unremovable access to a victim's Google account by converting an authorized third-party app into a malicious trojan, leaving a victim's personal data exposed indefintely.
In an April 20 blog post, Astrix’s Security Research Group, explained that by exploiting GhostToken, attackers can hide their malicious app from the victim’s Google account application management page. Because it’s the only place Google users can see their apps and revoke access, the exploit makes the malicious app unremovable from the Google account.
On the other hand, the attacker can use a refresh token they receive when they take over the victim’s account to access the victim’s account and then hide the app again to restore its unremovable state. Since these applications are hidden from the victim’s view, the victim remains in the dark. They are prevented from even knowing their account has been hacked — and even if they do suspect it — the only step they can take is to set up a new Google account.
The Astrix researchers said any Google account is a potential target of GhostToken. It’s significant because this includes Google Workspace's 3 billion users. Astrix first published news about the GhostToken zero-day on June 19, 2022, and Google released a patch earlier this month on April 7. As per Astrix’s coordination efforts with Google, the patch included adding tokens of OAuth applications in a “pending deletion” state to the user’s app management screen.
While security researchers can consider this new from a “known attack technique” perspective, the abused feature it leverages has been there for a while, said Mike Parkin, senior technical engineer at Vulcan Cyber.
“It's not related to the recent zero-day attacks reported in Chrome,” said Parkin. “This is an issue with how Google's ecosystem handles third-party authorizations and has already been corrected. The ‘permanent and unremovable’ claims were a bit hyperbolic as a fix was obvious and easily implemented.”
Of course, depending on the permissions victims assign the malicious app, attackers can potentially read the victim’s private correspondences in Gmail, gain access to personal Google Drive and Google Photos files, view planned events on Google calendar, track the victim’s location via Google Maps, and grant access to the victim’s Google Cloud Platform services.
Craig Burland, chief information security officer at Inversion6, added that the disclosure from Astrix should help cybersecurity teams bring focus to cloud security and specifically third-party integrations. Burland said the cloud ecosystem offers a wealth of integrations that can add or enhance capabilities: everything from simple mail-merge to full-blown analytics are just a few clicks away.
“But there’s another side to that coin,” said Burland. “Cyber teams are already struggling to efficiently and effectively manage third-party risk as organizations lob 300-question surveys at each other in desperation. Cloud integrations bypass all of that governance and cut straight to the heart, boosting productivity and also inviting risk. So, who looks to see what’s integrated with your cloud application? Who checks what rights and permissions have been granted? What personal data has been exposed?”