Subj : Google accounts attacked and hijacked by this devious security fl
To   : All
From : TechnologyDaily
Date : Mon Apr 24 2023 16:00:03

Google accounts attacked and hijacked by this devious security flaw

Date:
Mon, 24 Apr 2023 14:45:24 +0000

Description:
Google has addressed the vulnerability, so patch now.

FULL STORY
======================================================================

Googles Cloud Platform (GCP) was vulnerable to a zero-day flaw that allowed 
threat actors access to peoples accounts, and all the data found there 
(Gmail, Drive, Docs, Photos, and more), researchers are saying. 

Experts from Astrix Security found that a threat actor could create a 
malicious Google Cloud Platform app, and advertise it either via the Google 
Marketplace, or third-party providers. 

If a user installs the app, authorizes it, and links it to an OAuth token, 
theyd give the attackers access to their Google account. Hiding the app from 
the victims 

The threat actors could then make the app invisible, and hide it from Googles 
application management page, making it impossible for the victims to address 
the vulnerability. The method of hiding the app is where the zero-day lies - 
by deleting the linked GCP project, the attackers would make the app enter a 
pending deletion state, and thus make it invisible on the application 
management page. 

"Since this is the only place Google users can see their applications and 
revoke their access, the exploit makes the malicious app unremovable from the 
Google account," the researchers said. Read more 

> Google Cloud apparently has a security issue even firewalls can't stop 


 > Google Cloud storage may not be as secure as we'd all hope it is 


 > Here's our list of the best identity theft protection tools around 

Then, whenever the attackers saw fit, theyd be able to restore the project, 
get a fresh token, and retrieve the data from the victims account. Whats more 
- they could be able to do this indefinitely. "The attacker on the other 
hand, as they please, can unhide their application and use the token to 
access the victim's account, and then quickly hide the application again to 
restore its unremovable state. In other words, the attacker holds a 'ghost' 
token to the victim's account." 

Astrix called the flaw - GhostToken. 

Its also important to mention that the impact of the flaw depends heavily on 
the permissions the victims give the malicious apps. 

The vulnerability was discovered in the summer of 2022 and was addressed in 
April of this year. Now, GCP OAuth applications pending deletion still appear 
on the Apps with access to your account page. Heres our rundown of the best 
firewalls out there 

Via: BleepingComputer



======================================================================
Link to news story:
https://www.techradar.com/news/google-accounts-attacked-and-hijacked-by-this-d
evious-security-flaw


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.