GhostToken Exposes Google Cloud Platform Users to Potential Attacks
First discovered in June 2022 by researchers at Astrix Security, an Israeli cybersecurity company, the zero-day vulnerability known as GhostToken is quite unique, essentially giving blanket (and invisible) access to a user’s Google account.
Here is how the attack is executed:
- A user authorizes a seemingly legitimate (but, in reality, evil) OAuth application.
- In the background, the attacker receives a token for the user’s Google account.
- The attacker deletes the project associated with the authorized OAuth application, which enters a pending deletion state, making the application hidden and unremovable by the user.
- Whenever the attacker wishes to get access to the user’s data, they restore the project, get a new access token, and use it to access the account.
- The attacker then immediately deletes/re-hides the application.
- To maintain persistence, the attack loop must be executed periodically before the pending-deletion project is purged.
According to researchers, there are three things you can do:
- Look for applications whose ClientID is the same as the 'displayText' field and remove their access if they prove to be malicious;
- Inspect the OAuth log events in the "Audit and Investigation" feature of Google Workspace for token activity of any such apps;
- Or, revoke the suspect token (but be sure to test with end users first)