A vulnerability in Google Cloud Platform allowed attackers to use an OAuth application to create a backdoor to any Google account, according to cybersecurity firm Astrix. The bug, called GhostToken, allowed attackers to hide the malicious application from Google users and leverage it to access their data.
The flaw was first identified by Astrix in June 2020, and was related to the deletion of OAuth clients which are essentially GCP projects. When these projects are deleted, they enter a "pending deletion" state for 30 days, during which time they can be restored. However, they are no longer displayed in the Google account application management page, even if they continue to have access to the account.
To exploit the vulnerability, an attacker could create or take over an OAuth application, gain access to the refresh token, and delete the project associated with the app to prevent it from being removed. The attacker would then restore the project whenever they wanted to access the victim's data.
Google addressed the vulnerability in April 2023 by making applications that are in a pending deletion state visible in the Google account.
Share with your friends and followers
Start blogging about your favorite technologies, reach more readers and earn rewards!
Join other developers and claim your FAUN account now!
Only registered users can post comments. Please, login or signup.