



A zero-day vulnerability called GhostToken allows attackers to gain irremovable access to a victim’s Google account by transforming a legitimate third-party app into a malicious Trojan horse, thereby gaining irremovable access to the victim’s We may expose personal data indefinitely.

In an April 20 blog post, Astrixs Security Research Group explained that GhostToken can be used by attackers to hide malicious apps from the application management page of a victim’s Google account. Being the only place a Google user can view her apps and revoke access, the exploit prevents malicious apps from being removed from her Google account.

On the other hand, the attacker can use the refresh token received when taking over the victim’s account to access the victim’s account and hide the app again to make it undeletable. Since these applications are invisible to the victim, the victim remains in the dark. You don’t even know that your account has been hacked, and even if you have suspicions, you have no choice but to set up a new girlfriend’s Google account.

Astrix researchers say any Google account is a potential target for GhostToken. This is important because it includes his 3 billion users of Google Workspace. Astrix first published news about GhostToken’s zero-day on his June 19th, 2022, and Google released a patch earlier this month on his April 7th. User’s app management screen.

Security researchers can consider this new in terms of known attack techniques, but the exploited functionality it utilizes has been around for a while, said a senior technical engineer at Vulcan Cyber. One Mike Parkin said:

According to Perkin, it has nothing to do with the recently reported zero-day attack on Chrome. This is an issue with the way Google’s ecosystem handles third-party authorizations and has been fixed. Permanent and irremovable claims were a bit exaggerated as the fix was obvious and easy to implement.

Of course, depending on the privileges the victim has assigned to the malicious app, the attacker could read the victim’s personal correspondence in Gmail, access personal Google Drive and Google Photos files, or schedule appointments in Google Calendar. You may be able to view the events that are being held and track the victim’s location via Google Maps. Allow the victim access to her Google Cloud Platform services.

Craig Burland, Chief Information Security Officer at Inversion6, added that disclosures from Astrix should help cybersecurity teams focus on cloud security, especially third-party integration. Burland said the cloud he ecosystem offers a wealth of integrations that can add or enhance functionality. From simple email merges to full-blown analytics, it’s all just a few clicks away.

But there is another side to the coin, Berland said. Cyber ​​teams are already struggling to efficiently and effectively manage third-party risk as organizations frantically ask each other 300 questions. Cloud integration bypasses all that governance, cuts straight through, increases productivity, and introduces risk. So who is going to see what is integrated into cloud applications? Who will see what rights and permissions have been granted? What personal data has been exposed?

