CTI Notification: GhostToken
Creating Trojan Apps on Google Accounts
Breakdown
A flaw in the way Google Cloud Platform (GCP) handled applications marked for deletion exposed all Google account holders to potentially malicious “invisible” applications they could not remove. This is being referred to as a zero-day vulnerability, but it is more of a design flaw in the connection between the GCP backend and the way apps run within individual Google accounts. This can easily happen when programmers do not consider the way attackers could manipulate the process to hide their malicious behavior. Google patched the vulnerability on April 7th. All Google account holders will want to verify that only trusted apps they approve have permissions to their accounts by verifying their Google Apps access settings.
Overview
Google Marketplace contains thousands of applications that can be easily installed by any employee on their personal or work accounts. Many organizations allow employees to use the same personal account for work, so the same productivity applications may end up on corporate and personal systems. These applications are connected from the installed system and GCP by tokens that authorize the connection between the app backend and each user’s Google account.
The GhostToken vulnerability takes advantage of a design flaw vulnerability in the way the backend GCP system displays information to the user’s Google account once an app has been marked for deletion. Users can normally see all applications on the app management settings for their Google account. Apps marked for deletion were removed from this screen, effectively hiding the app completely from end users.
Before the patch, if an attacker was aware of this flaw, they could re-enable the app through the backend of GCP, which granted the attacker access back to a user’s account without the user being able to see the app was active again. This created what the researchers from Astrix’s Security Research Group referred to as a “ghost” token that lent the vulnerability its name.
Astrix describes how this can be abused by an attacker:
Depending on the permissions victims give the malicious app, attackers may be able to read the victim’s private correspondences in Gmail, gain access to their personal files on Google Drive and Google Photos, view planned events on their Google calendar, track their location via Google Maps and grant access to the victim’s Google Cloud Platform services.
In even worse cases where users provide sensitive permissions, attackers may be able to delete files from Google Drive, write emails from the victim’s Gmail account to perform social engineering attacks, steal sensitive data from Google Calendar, Photos or Docs and more.
The full technical description on this vulnerability and a potential attack scenario are available from Astrix’s blog post on their research.
The vital information everyone needs to know is that this was disclosed to Google and a global patch fixing the issue was rolled out on April 7th, 2023.
Mitigation and post fix details from Astrix:
The patch released by Google makes it so that applications that are in a “pending-deletion” state are still displayed in the Apps with access to your account page, and thus can be removed by the user just like any application. Astrix recommends users to go to this page and verify that they are familiar with all authorized third-party apps, and that each has the minimal needed permissions.
Conclusion
To our current SOC partnerships, please reach out to our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this ongoing event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
