Astrix Discovers 0-Day Vulnerability in Google Cloud Platform

The vulnerability, dubbed “GhostToken”, allows attackers to gain permanent and unremovable access to a victim’s Google account by converting an already authorized third-party application into a malicious trojan app, leaving the victim’s personal data exposed forever. This may include data stored on victim’s Google apps, such as Gmail, Drive, Docs, Photos, and Calendar, or Google Cloud Platform’s services (BigQuery, Google Compute, etc.).

Dana Katz April 20, 2023

The flaw, dubbed “GhostToken”, enables hidden and unremovable access to a victim’s Google account via third-party applications. 

[Tel Aviv, Israel – April 20, 2023] – Astrix Security, the enterprise’s trusted solution for securing non-human connections and identities, has discovered a 0-day flaw in Google Cloud Platform (GCP). The vulnerability, dubbed “GhostToken,” allows attackers to gain permanent and unremovable access to a victim’s Google account by converting an already authorized third-party application into a malicious trojan app, leaving the victim’s personal data exposed forever. This may include data stored on victim’s Google apps, such as Gmail, Drive, Docs, Photos, and Calendar, or Google Cloud Platform’s services (BigQuery, Google Compute, etc.). 

Any Google account is a potential target of this vulnerability, which includes Google Workspace’s three billion users. Astrix disclosed the bug in June 2022, and a patch was rolled out by Google in April 2023.

The 0-day vulnerability was discovered by Astrix Security Research Group during a routine analysis process, where an API call returned an unusual result. Further investigation unveiled a flaw that makes it possible to hide a third-party application so the account owner is unable to revoke its access or even know it exists. Depending on the permissions granted to the malicious third-party app, the attacker may have access to the victim’s private Gmail correspondence and personal files on Google Drive. Threat actors may even impersonate the victim to launch social engineering attacks. 

Victims may unknowingly authorize access to such malicious applications by installing a seemingly innocent app from the Google Marketplace or one of the many productivity tools available online. Once the malicious app has been authorized, an attacker exploiting the vulnerability can bypass Google’s “Apps with access to your account” management feature, which is the only place where Google users can view third-party apps connected to their account. 

“Google has become the default that so many of us use in our daily lives, and to manage our businesses. That’s why imagining a hacker sitting directly within those Google accounts, observing personal information and schedules, sensitive business intel, or employee information, is so concerning. It not only leaves individual Google users continuously vulnerable,it also has the potential to significantly harm enterprise security,” said Alon Jackson, Astrix CEO, and co-founder. “We are very proud of our top-notch research team, who exercised their curiosity and sense of responsibility to uncover this critical flaw, and who continue to demonstrate their expertise every day. As connectivity with third-party apps continues growing exponentially, so does the number of non-human identities. We’re working diligently to protect this daunting and extending attack surface.”

In today’s hyper-connected workspace, employees are freely and independently integrating cloud services and APIs into core business applications such as Google Workspace – all in an effort to boost productivity and efficiency. Whether that be an online meeting app for your calendar or an email organization app, employees who inadvertently grant access to a malicious app may be handing over the keys to sensitive and critical enterprise data, actions that have potentially hazardous implications, as recently seen through the crippling attacks on GitHub, Slack, CircleCI and Microsoft.

“At Astrix, we spend most of our time researching how cloud platforms like Google allow connection with third-party apps, analyzing the technical integration flows,” said Tal Skverer, Astrix Research Team Lead. “So when we noticed the unusual result in Google’s API, it rang alarm bells, and we were able to discover this potentially devastating vulnerability. It is because of exploits like GhostToken that our strongest recommendation for enterprises is to secure non-human connections and identities, such as API keys, OAuth tokens, and service accounts, the same way they secure user credentials”. 

Read the full research article for a detailed technical description of Astrix’s discovery of Ghost Token and how the exploit works.

About Astrix

Founded in Tel Aviv in 2021, Astrix Security helps cloud-first companies defend against a new generation of supply chain attacks. Astrix provides holistic visibility into all non-human connections and identities – automatically detects and remediates over-privileged, unnecessary, misbehaving, and malicious app-to-app connections to prevent supply chain attacks, data leaks and compliance violations. Led by two veterans of the Israel Defense Force 8200 military intelligence unit, CEO Alon Jackson and CTO Idan Gour, Astrix’s team is rapidly expanding. Astrix has raised $15M in Seed funding and is backed by leading investors Bessemer Venture Partners, F2 Venture Capital, and Venrock. Learn more at https://astrix.security or follow us on LinkedIn.

Press Contact

Kayla Armstrong

Beyond Trending

[email protected]

Learn more

Detect and Rotate Exposed Secrets with Astrix

Detect and Rotate Exposed Secrets with Astrix

Securing NHIs in Salesforce and NetSuite for SOX Compliance

Securing NHIs in Salesforce and NetSuite for SOX Compliance

Employee offboarding: What about their NHIs?

Employee offboarding: What about their NHIs?