• Wed. Oct 11th, 2023

Hackers can conceal dangerous apps in the Google Cloud Platform by using “Ghost tokens”

Avatar photo

ByEsme Greene

May 18, 2023
Hackers can conceal dangerous apps in the Google Cloud Platform by using "Ghost tokens"
Esme Greene
Latest posts by Esme Greene (see all)

Even seasoned cybersecurity specialists can become confused by the “GhostToken” vulnerability’s abuse.

Information on a newly resolved zero-day vulnerability in the Google Cloud Platform (GCP) has been made public by security professionals. This weakness allowed cyber criminals to conceal harmful programs in the account of the target.

Astrix Security, an Israeli startup, uncovered the Ghost Token Vulnerability, which impacts all Google accounts, including Workspace accounts for businesses. The flaw appeared on June 19, 2022. A global patch was implemented by the California corporation on April 7, 2023, just nine months later.

What the GhostToken is Capable of

According to the research, the GhostToken weakness enables cyber criminals to perpetually enter the victim’s Google account by converting a third-party program that had previously been permitted into a Trojan, leaving the victim’s private information exposed.

Simply said, a weakness enables an attacker to conceal their malicious program from the Google account of the victim’s application permission control pages, prohibiting the target from canceling permission.

To accomplish the desired result, the GCP application connected to the permitted OAuth app is deleted, putting the assignment into the state of awaiting removal. The intruder is able to render the project invisible once more after displaying the malicious app within it to secretly collect the target’s data.

It’s Almost Impossible for the Target to Resist

A report from Astrix Security reveals that attackers can manipulate the permissions granted to benign-looking applications downloaded from Google Play to gain unauthorized access to users’ sensitive data and accounts.

Such a breach could lead to the deletion of files from Google Drive, unauthorized email composition via Gmail, tracking of device location, and pilfering of confidential data from any Google service.

This vulnerability arises because malevolent apps can bypass the “Apps with account access” feature of Google that is meant to allow users to see the third-party applications linked to their accounts. As a result, attackers can access and exploit the user’s account and data while remaining undetected.

Google has recently taken a step to address this issue by releasing a patch that shows apps pending deletion on the Third Party Access page. This feature enables users to retract permissions granted to applications that they no longer trust or recognize. The update provides a way for users to remain aware of which apps have access to their data and helps them prevent unauthorized access.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.