GhostToken GCP vulnerability allowed hacking of Google accounts

Zero-day flaws are at the top when it comes to online security risks, as they allow hackers to exploit a vulnerability that is unknown to the software vendor. Recently, Google’s Cloud Platform (GCP), a popular data storage and management tool, became the target of one of these exploits, allowing attackers to gain access to people’s Google accounts, including data in Gmail, Drive, Docs, Photos, and more.

Although the Israeli cybersecurity startup Astrix Security discovered and reported the vulnerability back in June 2022, Google is now rolling out a patch to address the issue.

How does the vulnerability work?

Dubbed GhostToken, the vulnerability allowed hackers to make a malicious GCP app of their own and advertise it through the Google marketplace. Therefore, if a user installed the malicious GCP app and authorized it by linking it to an OAuth token, hackers would then gain access to the user’s Google account.

Additionally, to make it impossible for the victims to remove the app, hackers could hide it by deleting the linked GCP project, putting the app in a “pending deletion” state and making it invisible on the Google application management page. To make matters worse, attackers could repeat this process of hiding and restoring the malicious app every time they needed access to the victim’s data.

While the impact of the attack depended on the permissions a victim gave to the app, once the attackers had access to the Google account, they could hold a “ghost” token, which granted them access to the data indefinitely.

Google’s solution

Google’s recent update has finally fixed the vulnerability by making sure that GCP OAuth applications in a “pending deletion” state will now appear on the “Apps with access to your account” page. Therefore, allowing users to remove these applications and prevent any attempts at hijacking their accounts.

Moreover, to help stay protected from future vulnerabilities and exploits, users should also regularly check their app management page to verify that all third-party applications only have the necessary permissions for their intended functions.