Accounts left vulnerable to permanent compromise due to Google OAuth bug

Accounts left vulnerable to permanent compromise due to Google OAuth bug

Google’s Cloud Platform was found to have a vulnerability that could allow attackers to plant applications in a victim’s account, potentially compromising it permanently and without detection.

 

The flaw, known as GhostToken, was discovered by Israeli security firm Astrix, which alerted Google to the zero-day vulnerability in July 2022. An attacker who successfully compromised a victim’s account could read their Gmail, access their files and photos, view their calendar and track their location in Google Maps, depending on the permissions granted to the app.

 

The attack would begin with a compromised file in Google Marketplace, with the app receiving a token that gives it access to the installer’s account with user-authorised permissions.

 

GhostToken would then allow the attacker to hide the app from the user, making it impossible to remove from the account. Google acknowledged the flaw in August 2022 and issued a global update on April 7 to fix it.