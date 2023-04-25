Google fixed a vulnerability affecting Google Cloud Platform that allows hackers to change a malicious application to be invisible and unremovable.

The flaw was found by Astrix’s Security Research Group on June 19th, 2022, and addressed on April 7th, 2023.

With the fix, users will be able to see the applications that are in a “pending-deletion” state on their “Apps with access to your account” page.

Google addressed a vulnerability reported by Astrix Security, an Israeli cybersecurity startup, in June of 2022. The patch that addressed the vulnerability, named GhostToken, was released on April 7th, 2023. The vulnerability allowed hackers to change a malicious application to be invisible and unremovable which leaves the account infected with a trojan application forever.

Hiding the applications

The method hackers used made it impossible for users to address the issue. The threat actors were able to make the application invisible and hide it from the application management page. To do that, hackers were deleting the GCP project, making the app enter a pending deletion state, which caused the app to go invisible on the application management page.

The threat actors could restore the project whenever they want to get a fresh token and retrieve data indefinitely. Now that the flaw is fixed, OAuth applications that are in the pending deletion phase will be seen on the “Apps with access to your account” page, and they can be removed by the user like any other application. Researchers urged users to go to this page and check if there are any authorized third-party applications and reduce their permissions if possible.

Disclosure timeline:

June 19th, 2022 – Astrix Security finds the vulnerability and discloses it to Google. June 23rd, 2022 – Google initial response, identifying the vulnerability as Abuse Risk. August 18th, 2022 – Google accepted the report. April 7th, 2023 – A global patch fixing the issue was rolled-out by Google. As per our coordination efforts, the patch included adding tokens of OAuth applications in a “pending deletion” state to the user’s app management screen.

Astrix Security said,

« By exploiting the GhostToken vulnerability, attackers can hide their malicious application from the victim’s Google account application management page. Since this is the only place Google users can see their applications and revoke their access, the exploit makes the malicious app unremovable from the Google account. The attacker, on the other hand as they please, can unhide their application and use the token to access the victim’s account, and then quickly hide the application again to restore its unremovable state. In other words, the attacker holds a “ghost “token to the victim’s account. It’s important to note that, since the application is entirely hidden from the victim’s view, they are prevented from even knowing their account is at risk in the first place, and even if they do suspect it – they can’t do anything but create a brand new Google account. »