An OAuth bug discovered in Google’s Cloud Platform potentially allowed attackers to plant an application inside a victim’s account, leaving it permanently and undetectably compromised.
The bug was discovered by an Israeli security outfit, Astrix, who advised Google it had discovered the zero-day vulnerability in July 2022.
A fix shipped earlier this month, the company said, detailing the vulnerability.
If a victim was successfully compromised , an attacker could plant a malicious app could read their Gmail account, access their files and photos, view their calendar, and track locations in Google maps, Astrix said – depending only on the permissions granted to the app.
An attack would start with a compromised file in Google Marketplace, the post explained.
When a user authorised it for installation, the app gets a token giving it access to the installer’s account with the permissions authorised by the user.
However, the GhostToken vulnerability would allow the attacker to then hide the app from the user.
“By exploiting the GhostToken vulnerability, attackers can hide their malicious application from the victim’s Google account application management page,” Astrix’s post claimed.
“Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account.
“The attacker … can unhide their application and use the token to access the victim’s account, and then quickly hide the application again to restore its unremovable state.
"In other words, the attacker holds a ‘ghost’ token to the victim’s account.”
Google acknowledged the vulnerability in August 2022, and rolled a global update on April 7, Astrix said.
