A Google Cloud Platform (GCP) flaw might have given attackers the ability to secretly alter an OAuth application and open a backdoor to any Google account.
By taking advantage of the GhostToken flaw, attackers may have entirely concealed the malicious programme from Google users and used it to obtain account tokens to access the victim's data.
According to Astrix, an app-to-app security company, the weakness was related to the deletion of OAuth clients, which are essentially GCP projects. Astrix discovered the flaw in June of last year.
A GCP project enters a 'pending deletion' condition for 30 days after being removed by the owner or anybody else with the required management access, letting the developer to restore it if necessary.
Even if they still have access to the account, they are no longer visible when they are deleted in the Google account application maintenance page.
The same is true for GCP projects that use OAuth. The application keeps access to the account until the client is actually deleted, even though the user receives an error stating that the client has been deleted.
Astrix also noticed that the refresh token generated when the user first authorised the application is re-enabled when such an OAuth client is restored from the 'pending deletion' state.
The security company warns that this refresh token can be used to obtain an access token to the victim's account and subsequently access their data.
An attacker might create or take control of an OAuth application to exploit this vulnerability and acquire access to the refresh token. Then, to prevent the victim from uninstalling the app from their account, the attacker might destroy the project connected to the offending app.
When the attacker needed to access the victim's data, they would restore the project, receive an access token by using the refresh token, remove the project once again to make the programme invisible and unremovable, and then restore it once more.
"By taking advantage of the GhostToken vulnerability, attackers can prevent the victim from seeing their malicious application on the Google account application management page. Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account,” Astrix notes.
In this situation, the access token would allow the attacker to read the victim’s emails, access their Google Drive and Photos files, check their calendar, monitor their position, and “grant access to the victim’s Google Cloud Platform services”, the security firm explains.
In April 2023, Google addressed the vulnerability by making applications that are in a ‘pending deletion’ state visible in the Google account, so that users can remove them.
0 Comments