HQ/EMEAFind out how we can help your business
The newly discovered GhostToken security vulnerability could impact all users and enable threat actors to backdoor their Google accounts via malicious OAuth app installers from third-party sources or the Google Marketplace.
Based on reports, researchers discovered the bug and immediately reported it to Google last year. Fortunately, Google addressed the flaw and deployed a patch earlier this month.
Researchers explained that the threat actors could make the malicious apps invisible by exploiting the vulnerability and after authorising and linking to an OAuth token that provides access to the Google account.
The process would hide the app from Google’s application management page, the only destination where Google users could manage apps linked to their accounts.
On the other hand, the threat actors could freely unhide their apps and use the token to access their target’s account. In addition, they could also quickly hide the app again to restore its unremovable status. Hence, the attackers could execute a ghost token to a compromised account.
The GhostToken campaign leverages a specific stain to maintain persistence.
According to investigations, the GhostToken operators could make their application enter the “pending deletion” status by deleting the linked GCP project. Hence, they could hide their malicious apps authorised by their victims.
The actors could then acquire a refresh token that could allow them to retrieve a new access token that would enable them to obtain access to their victims’ data after restoring the project. Furthermore, the researchers claimed that these steps are repeatable, implying that the threat actors could delete and restore the GCP project to hide their compromised apps whenever they need to access their victims’ data.
However, the operation’s impact depends on the permissions granted to the malicious applications installed by the victims. Lastly, the bug enables the threat actors to access a victim’s Google account permanently by converting an authorised third-party app into a trojan application. Therefore, this attack could expose the victim’s data if the actors run the loop.
Experts advise that Google users visit their account’s application management page and review all authorised third-party applications. This method will allow all users to ensure that their apps have the adequate permissions necessary for their functions.
