Google has recently patched a zero-day security vulnerability, called GhostToken, that allows attackers to create an invisible and irrecoverable backdoor in the Google Cloud Platform (GCP). By exploiting this flaw, an attacker could access the victim’s account and tamper with the associated data and files on Gmail or Google Docs, with literally zero visibility to the victim.
How GhostToken works
The GhostToken flaw was discovered and reported to Google by the Israeli security company Astrix in June 2022. Google has rolled out the patch for this flaw early this month. - This flaw allows any user to hide any application from the Google account application management page, which is the only place applications can be seen and uninstalled.
- Once any malicious application is authorized on any device, that application can be made invisible by exploiting the GhostToken flaw.
- Since a victim is not able to view the malicious application on Google's application management page, it becomes impossible for them to remove the app.
Diving into tech
The core concept behind the GhostToken attack is associated with the way tokens are managed by GCP for OAuth Applications. When any Google account user authorizes any third-party OAuth application, the application receives a refresh token for accessing the Google Account.
- If the user unknowingly authorizes the malicious application created by an attacker (after getting convinced via some social engineering tactic), the attacker obtains the refresh token to access the victim’s Google Account.
- Now, if the attacker deletes the linked GCP project for that malicious application, that application enters a pending deletion state, thus, rendering it hidden and unremovable from the victim’s Google account application management page.
- However, if the attacker wishes to access the victim’s account, he just needs to restore the project, use the refresh token to access the account, and associated files and resources.
- Upon expiry of the refresh token, he can even create a new one. Once done, to hide the application from the victim again, he simply needs to delete the project.
Depending upon the permissions granted to the malicious application, the attacker obtains access to the victim’s Gmail, Google Docs, Google Photos, Google Calendar, and other resources on GCP.
A word of caution
Google’s patch for GhostToken allows users to see all the applications, including the applications in pending deletion state, on the page ‘Apps with access to your account’. Users are recommended to visit the app management page, check for all the third-party applications authorized to access the Google Account, and remove the applications that are no longer used.