Ghost Token Lets Attackers Conceal Malware in Google Cloud

Cybersecurity researchers have disclosed the details of a major security flaw uncovered in Google Cloud Platform (GCP) that allowed attackers to conceal harmful applications in the victim’s account. The vulnerability, known as Ghosttoken’s vulnerability, affects all Google accounts, including corporate accounts requiring Workspace. The vulnerability was discovered on June 19, 2022, and was resolved nine months later on April 7, 2023.

According to a report by Astrix Security, the vulnerability enabled hackers to gain constant access to a Google victim’s account by converting a third-party application already authorized by the victim into trojanskoye, leaving their personal data exposed. In other words, attackers could hide their malicious application within the victim’s Google account pages, preventing the victim from accessing their account. This was accomplished by removing GCP linked to adopted application OAuth, effectively causing the project to enter a “waiting” state. The attacker could then secretly display a fraudulent application in the same project, obtain victim data, and hide the project again.

Astrix Security explained that this is an “ICOMPLATION scheme” in which the attacker holds a “ghostly” token for the victim’s account, granting them access to different data types depending on the applications associated with the victim’s account. The potential malware could consist of deleting files with Google disk, writing electronic letters through Gmail, tracking the device’s location, and stealing confidential data.

Victims could accidentally give access to malicious applications while installing a seemingly safe application from the Google Play Store. An attacker using the vulnerability could bypass the “Applications that have access to the account” function, which is the only place where users can view third-party applications linked to their account. After authorizing the malicious application, an attacker could exploit the vulnerability.

Google has since corrected the problem with a patch that displays third-party applications in the waiting status on a third-party access page, enabling users to withdraw permits provided by such applications.

/Reports, release notes, official announcements.