Cyber security
Related Links

First discovered in June 2022 by researchers at Astrix Security, an Israeli cybersecurity company, the zero-day vulnerability known as GhostToken is quite unique, essentially giving blanket (and invisible) access to a user’s Google account.

Attack execution

  • A user authorizes a seemingly legitimate (but, in reality, evil) OAuth application.
  • In the background, the attacker receives a token for the user’s Google account.
  • The attacker deletes the project associated with the authorized OAuth application, which enters a pending deletion state, making the application hidden and unremovable by the user.
  • Whenever the attacker wishes to get access to the user’s data, they restore the project, get a new access token, and use it to access the account.
  • The attacker then immediately deletes/re-hides the application.
  • To maintain persistence, the attack loop must be executed periodically before the pending deletion project is purged.

Google rolled out a global fix on April 7th. The fix ensures that a pending deletion app still appears in the list of authorized applications, allowing the end user to disable it at any time.

3 things to can do

But what if the clients were exposed before the patch? How do users ensure they don’t fall victim to nefarious activity?

According to researchers, there are three things users can do:

  • Look for applications whose ClientID is the same as the ‘display text’ field and remove their access if they prove to be malicious;
  • Inspect the OAuth log events in the “Audit and Investigation” feature of Google Workspace for the token activity of any such apps;
  • Or, revoke the suspect token (but be sure to test with end users first).

DisplayText

SaaS Alerts capture both the App Name and ClientID in the misc section of a user’s account

For example, when reviewing our internal logs, we noticed a few instances whose ClientID matched the ‘display text’. After some testing, SaaS Alerts identified this as a PC Google Drive installation. After re-authentication, the ‘displayText’ identified the OAuth connection as Google Drive.

Per the screenshot below, SaaS Alerts capture both the App Name and ClientID in the misc section of a user’s account. So if the user sees an OAuth connection, SaaS Alerts suggests looking at the details to determine whether or not this meets the criteria identified above.

Proactive measures

Cybercriminals will continue to find new ways to exploit vulnerabilities, so it’s crucial to stay vigilant and take proactive measures to protect clients. While users can’t control what the end users may or may not approve daily, users can communicate the importance of being vigilant when it comes to granting application permissions.

A Google DLP platform can help raise an alert when someone approves an application with known vulnerabilities. And of course, remember to regularly audit the guest accounts, review authorized applications, and always stay up to date with the latest security patches and fixes.

From facial recognition to LiDAR, explore the innovations redefining gaming surveillance

Related white papers
Aligning Physical And Cyber Defence For Total Protection

Aligning Physical And Cyber Defence For Total Protection

Download
Combining Security And Networking Technologies For A Unified Solution

Combining Security And Networking Technologies For A Unified Solution

Download
System Design Considerations To Optimize Physical Access Control

System Design Considerations To Optimize Physical Access Control

Download
Related articles
How Physical Security Consultants Ensure Cybersecurity For End Users

How Physical Security Consultants Ensure Cybersecurity For End Users
How Managed Detection And Response Enhances Cybersecurity Management In Organizations

How Managed Detection And Response Enhances Cybersecurity Management In Organizations
Drawbacks Of PenTests And Ethical Hacking For The Security Industry

Drawbacks Of PenTests And Ethical Hacking For The Security Industry