“Ghost token” allows attackers to hide malicious applications in the Google Cloud Platform
Exploitation of the “GhostToken” vulnerability can confuse even experienced cybersecurity professionals.
Cybersecurity researchers have revealed details of a recently patched zero-day vulnerability in the Google Cloud Platform (GCP), which allowed attackers to hide malicious applications in the victim’s account.
Ghost Token Vulnerability, discovered Israeli company Astrix Security, affects all Google accounts, including corporate Workspace accounts. The vulnerability was discovered on June 19, 2022. The California corporation deployed a global fix only nine months later, on April 7, 2023.
“The GhostToken vulnerability allows attackers to gain permanent access to the victim’s Google account, turning an already authorized third-party application into a Trojan, leaving the victim’s personal data permanently open,” the report says. report Astrix Security.
In other words, vulnerability allows an attacker to hide their malicious application from application permission management pages the victim’s Google account, thereby preventing the victim from revoking access. The effect is achieved by removing project GCP associated with authorized OAuth application , causing the project to enter the pending deletion state. The attacker can then display the rogue app in the same project in order to stealthily obtain the victim’s data and then make the project invisible again.
Scheme of infection and attack
“In other words, the attacker is holding a “ghost” token for the victim’s account,” Astrix Security explained.
The type of data that can be accessed in this manner depends on the permissions granted to the application, which an attacker can abuse. Potential malicious activities include: deleting files from Google Drive, writing emails on behalf of the victim via Gmail, tracking device location, stealing sensitive data from any Google services, etc.
“Victims can unknowingly give access to such malicious applications by installing a seemingly harmless application from Google Play. Once a malicious application is authorized, an attacker exploiting the vulnerability can bypass Google’s “Apps with account access” feature, which is the only place where users can view third-party applications connected to their account,” Astrix Security added.
Google’s recent patch addresses this issue by also displaying apps that are pending deletion on the Third Party Access page. This allows users to revoke permissions granted to such applications.