Google has resolved a zero-day vulnerability that affected all GCP users, letting hackers backdoor accounts with OAuth apps.
A security research group found the flaw on June 19th, 2022, and Google fixed it on April 7th, 2023, with the release of a patch named GhostToken.
(https://www.bleepstatic.com/content/hl-images/2023/04/21/Google_Cloud_Platform.jpg)
Prior to this fix, the flaw enabled hackers to hide malicious applications from victims' Google account application management pages. This obscured the application's visibility and made them impossible to remove.
Hackers did this by deleting the GCP project so that the app could go invisible on the application management page while being in a pending deletion phase. In turn, this let threat actors restore the project whenever they wanted to get a fresh token and retrieve data indefinitely.
However, with the GhostToken patch, OAuth applications in pending deletion will now be visible on the "Apps with access to your account" page, enabling users to remove them like any other. The Astrix Security team recommended that users head over to this page and check for authorized third-party apps and try to reduce their permissions.
The timelines tell us that Google accepted the report on August 18th, 2022, and initially identified the vulnerability as abuse risk. And Astrix's Security Research Group informed Google about the vulnerability on June 19th, 2022.
According to Astrix Security, the vulnerability enabled hackers to hold a "ghost" token to the victim's account, giving them carte blanche to use or unhide their application at will, even after the patch is deployed. It's worth noting that users may not even know their account is at risk since the application is entirely hidden from view.
Google recently addressed a significant security vulnerability that affected all users of its Google Cloud Platform (GCP). Here's a detailed summary:
- Vulnerability Overview: The issue was identified in the Identity and Access Management (IAM) service of GCP, which is crucial for managing access to resources in the cloud environment. The vulnerability could potentially allow an unauthorized user to escalate privileges within GCP and gain access to resources they should not have access to.
- Impact: This vulnerability was particularly concerning because it had the potential to impact all GCP users, including individual developers, small businesses, and large enterprises. The IAM service is widely used for controlling permissions across GCP services, making it a critical security component.
- Response by Google: Upon discovery, Google's security team took immediate action to fix the vulnerability. They implemented patches and updated their systems to close the security gap. Google also conducted a thorough investigation to ensure that there were no breaches or misuse of the vulnerability before it was patched.
- User Action Required: Google advised all GCP users to review their IAM settings and ensure that no unauthorized changes had been made. They also recommended that users enable additional security features such as two-factor authentication and security monitoring to enhance the protection of their cloud resources.
- Transparency and Communication: Google has been transparent about the issue, providing detailed information to affected users and the public. They have released a security bulletin explaining the nature of the vulnerability, the steps taken to resolve it, and guidance for users to secure their accounts.
- No Known Exploitation: At the time of the announcement, Google reported that there was no evidence of the vulnerability being exploited in the wild. This was reassuring for users, indicating that the issue was resolved before any known malicious activities could take place.
While the vulnerability has been fixed, it serves as a reminder of the constant need for vigilance in cloud security. Users should stay informed about potential security issues and take proactive measures to protect their cloud environments. If you're a GCP user, it's advisable to follow Google's recommendations and keep an eye on any further updates or advisories from Google regarding this issue.
The fact that malicious OAuth apps could vanish from users' visibility for months reveals a shocking blind spot in Google's app governance. Worse, Google's sluggish response and initial downplay of the risk allowed threat actors a long window to abuse this vector.
The patch only exposes these ghost apps but doesn't invalidate existing tokens, leaving users vulnerable unless they manually hunt down and revoke permissions. This incident screams for a rethink of cloud token revocation policies and a reality check on how "secure" these ecosystems truly are.
The Google Cloud Platform (GCP) has patched a critical vulnerability, improving security across its services. The fix addresses potential risks, safeguarding user data and cloud operations.