• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
ghosttoken flaw could let attackers hide malicious apps in google

GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform

You are here: Home / General Cyber Security News / GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform
April 21, 2023

Cybersecurity researchers have disclosed specifics of a now-patched zero-day flaw in Google Cloud System (GCP) that could have enabled risk actors to conceal an unremovable, malicious software within a victim’s Google account.

Israeli cybersecurity startup Astrix Security, which discovered and documented the issue to Google on June 19, 2022, dubbed the shortcoming GhostToken.

The issue impacted all Google accounts, like organization-centered Workspace accounts. Google deployed a international-patch much more than nine months afterwards on April 7, 2023.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


“The vulnerability […] will allow attackers to achieve permanent and unremovable access to a victim’s Google account by changing an now approved 3rd-party application into a malicious trojan app, leaving the victim’s personal facts uncovered eternally,” Astrix stated in a report.

In a nutshell, the flaw would make it doable for an attacker to hide their malicious app from a victim’s Google account software management site, thus successfully avoiding end users from revoking its obtain.

This is achieved by deleting the GCP job associated with the authorized OAuth application, leading to it to go in a “pending deletion” state. The menace actor, armed with this functionality, could then unhide the rogue application by restoring the undertaking and use the accessibility token to get hold of the victim’s knowledge, and make it invisible all over again.

Google Cloud Platform

“In other words, the attacker holds a ‘ghost’ token to the victim’s account,” Astrix reported.

The type of info that can be accessed is dependent on the permissions granted to the application, which the adversaries can abuse to delete documents from Google Drive, produce email messages on the victim’s behalf to accomplish social engineering attacks, track locations, and exfiltrate sensitive data from Google Calendar, Images, and Push.

“Victims may unknowingly authorize obtain to such destructive apps by setting up a seemingly innocent application from the Google Market or one particular of the many productivity tools accessible on line,” Astrix included.

Approaching WEBINARZero Trust + Deception: Find out How to Outsmart Attackers!

Learn how Deception can detect advanced threats, prevent lateral movement, and increase your Zero Believe in tactic. Be part of our insightful webinar!

Help you save My Seat!

“As soon as the destructive app has been authorized, an attacker exploiting the vulnerability can bypass Google’s “Applications with obtain to your account” administration attribute, which is the only position wherever Google consumers can look at 3rd-party applications related to their account.”

Google’s patch addresses the challenge by now exhibiting apps that are in a pending deletion state on the third-party entry webpage, making it possible for end users to revoke the authorization granted to these kinds of applications.

The findings arrive a tiny about a month immediately after cloud incident reaction firm Mitiga uncovered that adversaries could acquire gain of “inadequate” forensic visibility into GCP to exfiltrate sensitive info.

Located this short article attention-grabbing? Stick to us on Twitter  and LinkedIn to read a lot more unique information we publish.


Some sections of this report are sourced from:
thehackernews.com

Previous Post: «14 kubernetes and cloud security challenges and how to solve 14 Kubernetes and Cloud Security Challenges and How to Solve Them
Next Post: Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining kubernetes rbac exploited in large scale campaign for cryptocurrency mining»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms
  • Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • 6 Steps to 24/7 In-House SOC Success
  • Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
  • 67 Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
  • New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft
  • BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with MacOS Backdoor Malware
  • Secure Vibe Coding: The Complete New Guide
  • Uncover LOTS Attacks Hiding in Trusted Tools — Learn How in This Free Expert Session
  • Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

Copyright © TheCyberSecurity.News, All Rights Reserved.