Google accounts attacked and hijacked by this devious security flaw

If a user installs the app, authorizes it, and links it to an OAuth token, they’d give the attackers access to their Google account.

Hiding the app from the victims

The threat actors could then make the app invisible, and hide it from Google’s application management page, making it impossible for the victims to address the vulnerability. The method of “hiding” the app is where the zero-day lies - by deleting the linked GCP project, the attackers would make the app enter a “pending deletion” state, and thus make it invisible on the application management page.

"Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account," the researchers said.

Then, whenever the attackers saw fit, they’d be able to restore the project, get a fresh token, and retrieve the data from the victim’s account. What’s more - they could be able to do this indefinitely. "The attacker on the other hand, as they please, can unhide their application and use the token to access the victim's account, and then quickly hide the application again to restore its unremovable state. In other words, the attacker holds a 'ghost' token to the victim's account."

Astrix called the flaw - GhostToken. 

It’s also important to mention that the impact of the flaw depends heavily on the permissions the victims give the malicious apps.

The vulnerability was discovered in the summer of 2022 and was addressed in April of this year. Now, GCP OAuth applications pending deletion still appear on the “Apps with access to your account” page.

•  Here’s our rundown of the best firewalls out there 

Via: BleepingComputer