Google accounts attacked and hijacked by this devious security flaw

News
By published

Invisible apps gave perma access to Google user data

Digital clouds against a blue background.
(Image credit: Shutterstock / Blackboard)

Google’s Cloud Platform (GCP) was vulnerable to a zero-day flaw that allowed threat actors access to people’s accounts, and all the data found there (Gmail, Drive, Docs, Photos, and more), researchers are saying.

Experts from Astrix Security found that a threat actor could create a malicious Google Cloud Platform app, and advertise it either via the Google Marketplace, or third-party providers.

If a user installs the app, authorizes it, and links it to an OAuth token, they’d give the attackers access to their Google account.

Hiding the app from the victims

The threat actors could then make the app invisible, and hide it from Google’s application management page, making it impossible for the victims to address the vulnerability. The method of “hiding” the app is where the zero-day lies - by deleting the linked GCP project, the attackers would make the app enter a “pending deletion” state, and thus make it invisible on the application management page.

"Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account," the researchers said.

Read more

> Google Cloud apparently has a security issue even firewalls can't stop

> Google Cloud storage may not be as secure as we'd all hope it is

> Here's our list of the best identity theft protection tools around

Then, whenever the attackers saw fit, they’d be able to restore the project, get a fresh token, and retrieve the data from the victim’s account. What’s more - they could be able to do this indefinitely. "The attacker on the other hand, as they please, can unhide their application and use the token to access the victim's account, and then quickly hide the application again to restore its unremovable state. In other words, the attacker holds a 'ghost' token to the victim's account."

Astrix called the flaw - GhostToken. 

It’s also important to mention that the impact of the flaw depends heavily on the permissions the victims give the malicious apps.

The vulnerability was discovered in the summer of 2022 and was addressed in April of this year. Now, GCP OAuth applications pending deletion still appear on the “Apps with access to your account” page.

Via: BleepingComputer

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Shadowed hands on a digital background reaching for a login prompt.
A flaw in Google OAuth system is exposing millions of users via abandoned accounts
the YouTube logo on a screen in front of other YouTube logos covering a black background
Worrying YouTube security flaw exposed billions of user emails
Fraude en ligne phishing
Google Search ads are being hacked to steal account info
Password
Millions of airline customers possibly affected by OAuth security flaw
malware
Google warns of legit VPN apps being used to infect devices with malware
Location Data
Cloudflare CDN flaw could expose user location simply by sending an image
Latest in Security
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Veeam urges users to patch security issues which could allow backup hacks
UK Prime Minister Sir Kier Starmer
The UK releases timeline for migration to post-quantum cryptography
Representational image depecting cybersecurity protection
Cisco smart licensing system sees critical security flaws exploited
Latest in News
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Seth Milchick and Kier Eagan's animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale
More about security
Hacker silhouette working on a laptop with North Korean flag on the background

North Korea unveils new military unit targeting AI attacks

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Kolkata Knight Riders' Sunil Narine with his bat aloft in the May 2024 match against Mumbai Indians

Kolkata Knight Riders vs Royal Challengers Bengaluru live stream: how to watch IPL 2025 online opening match from anywhere
See more latest
Most Popular
The cover art for popular Max TV shows shown in a collage
Max has been adding some of Prime Video's most annoying features but also a load of better upgrades
AMD Instinct MI355X Accelerator
AMD signs huge multi-billion dollar deal with Oracle to build a cluster of 30,000 MI355X AI accelerators
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Gemma staring at something off-camera in Severance season 2 episode 10
'Everyone is going to be so torn': Severance star Dichen Lachman reacts to the popular Apple TV+ show's most 'intense' season 2 finale event
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
AMD Ryzen AI
New leak suggests AMD's working on an Arm-based processor to rival Qualcomm's Snapdragon X series