Skip to content

GhostToken Exposes Google Cloud Platform Users to Potential Attacks

First discovered in June 2022 by researchers at Astrix Security, an Israeli cybersecurity company, the zero-day vulnerability known as GhostToken is quite unique, essentially giving blanket (and invisible) access to a user’s Google account.    

Here is how the attack is executed:

  • A user authorizes a seemingly legitimate (but, in reality, evil) OAuth application.
  • In the background, the attacker receives a token for the user’s Google account.
  • The attacker deletes the project associated with the authorized OAuth application, which enters a pending deletion state, making the application hidden and unremovable by the user.
  • Whenever the attacker wishes to get access to the user’s data, they restore the project, get a new access token, and use it to access the account.
  • The attacker then immediately deletes/re-hides the application.
  • To maintain persistence, the attack loop must be executed periodically before the pending-deletion project is purged.

Google rolled out a global fix on April 7th. The fix ensures that a pending deletion app still appears in the list of authorized applications, allowing the end user to disable it at any time.

But what if your clients were exposed before the patch? How do you ensure they didn’t fall victim to nefarious activity?

According to researchers, there are three things you can do:

  1. Look for applications whose ClientID is the same as the 'displayText' field and remove their access if they prove to be malicious;
  2. Inspect the OAuth log events in the "Audit and Investigation" feature of Google Workspace for token activity of any such apps;
  3. Or, revoke the suspect token (but be sure to test with end users first)

For example, when reviewing our internal logs, we noticed a few instances whose ClientID matched the 'displayText'. After some testing, we identified this as a PC Google Drive installation. After re-authentication, the 'displayText' identified the OAuth connection as Google Drive.

Per screenshot below, SaaS Alerts captures both the App Name and ClientID in the misc section of a user’s account. So if you see an OAuth connection, we suggest looking at the details to determine whether or not this meets the criteria identified above.


Cybercriminals will continue to find new ways to exploit vulnerabilities, so it's crucial to stay vigilant and take proactive measures to protect your clients. While you can’t control what your end users may or may not approve on a daily basis, you can communicate the importance of being vigilant when it comes to granting application permissions.

And of course, remember to regularly audit your guest accounts, review authorized applications, and always stay up to date with the latest security patches and fixes.