First discovered in June 2022 by researchers at Astrix Security, an Israeli cybersecurity company, the zero-day vulnerability known as GhostToken is quite unique, essentially giving blanket (and invisible) access to a user’s Google account.
Attack execution
- A user authorises a seemingly legitimate (but, in reality, evil) OAuth application.
- In the background, the attacker receives a token for the user’s Google account.
- The attacker deletes the project associated with the authorised OAuth application, which enters a pending deletion state, making the application hidden and unremovable by the user.
- Whenever the attacker wishes to get access to the user’s data, they restore the project, get a new access token, and use it to access the account.
- The attacker then immediately deletes/re-hides the application.
- To maintain persistence, the attack loop must be executed periodically before the pending deletion project is purged.
Google rolled out a global fix on April 7th. The fix ensures that a pending deletion app still appears in the list of authorised applications, allowing the end user to disable it at any time.
3 things to can do
But what if the clients were exposed before the patch? How do users ensure they don’t fall victim to nefarious activity?
According to researchers, there are three things users can do:
- Look for applications whose ClientID is the same as the ‘display text’ field and remove their access if they prove to be malicious;
- Inspect the OAuth log events in the “Audit and Investigation” feature of Google Workspace for token activity of any such apps;
- Or, revoke the suspect token (but be sure to test with end users first).
DisplayText
SaaS Alerts capture both the App Name and ClientID in the misc section of a user’s account
For example, when reviewing our internal logs, we noticed a few instances whose ClientID matched the ‘display text’. After some testing, SaaS Alerts identified this as a PC Google Drive installation. After re-authentication, the ‘displayText’ identified the OAuth connection as Google Drive.
Per the screenshot below, SaaS Alerts capture both the App Name and ClientID in the misc section of a user’s account. So if the user sees an OAuth connection, SaaS Alerts suggests looking at the details to determine whether or not this meets the criteria identified above.
Proactive measures
Cybercriminals will continue to find new ways to exploit vulnerabilities, so it’s crucial to stay vigilant and take proactive measures to protect clients. While users can’t control what the end users may or may not approve daily, users can communicate the importance of being vigilant when it comes to granting application permissions.
A Google DLP platform can help raise an alert when someone approves an application with known vulnerabilities. And of course, remember to regularly audit the guest accounts, review authorised applications, and always stay up to date with the latest security patches and fixes.