GhostToken GCP Bug Gives Entry To Attackers Into Google Accounts

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Apr 21, 2023 10:59 am PST

Security experts have revealed information about a Google Cloud Platform (GCP) zero-day vulnerability that has since been patched that may have allowed threat actors to hide an irremovable, malicious application inside a victim’s Google account.

The flaw, dubbed GhostToken by Israeli cybersecurity outfit Astrix Security, affects all Google accounts, including Workspace accounts geared at businesses. On June 19, 2022, it was found and reported to Google. On April 7, 2023, the business released a universal patch more than nine months later.

According to research by Astrix, “the vulnerability allows attackers to convert an already-authorized third-party application into a malicious trojan app, leaving the victim’s personal data exposed forever and granting them permanent and unremovable access to a victim’s Google account.

In essence, the issue enables an attacker to conceal their malicious software from a victim’s Google account application control page, effectively preventing users from canceling its access.

To do this, you must put the GCP project linked to the authorized OAuth application in the “pending deletion” state by deleting it. Armed with this power, the threat actor might then restore the project, unhide the malicious app, acquire the victim’s data using the access token, and then make it invisible once more.

Astrix explained, “In other words, the attacker has a ‘ghost’ token associated with the victim’s account.

Permissions govern what information the app can access, which the adversaries can exploit to delete files from Google Drive. It sends emails on behalf of the victim to carry out social engineering attacks, track locations, and exfiltrate sensitive information from Google Calendar, Photos, and Drive.

“Victims may unknowingly authorize access to such malicious applications by installing a seemingly innocent app from the Google Marketplace or one of the many productivity tools available online,” Astrix continued.

“Once the malicious app has been authorized, an attacker taking advantage of the vulnerability can get around Google’s “Apps with access to your account” management feature, which is the only place where Google users can view third-party apps linked to their accounts.”

As a result of Google’s fix, users can now revoke the permission given to apps that are in the process of being deleted by seeing them displayed on the third-party access page.

The change follows Google Cloud’s patching of Asset Key Thief, a privilege escalation vulnerability in the Cloud Asset Inventory API that may be used to steal user-managed Service Account private keys and access priceless data. The tech giant corrected the problem on March 14, 2023, after SADA identified it in early February.

The information was discovered a little over a month after cloud incident response company Mitiga disclosed that hackers may have been able to exfiltrate sensitive data from GCP using “insufficient” forensic visibility.


A GCP vulnerability might have allowed attackers to deliberately modify an OAuth application and hide it to establish a stealthy backdoor to any Google account. The GhostToken problem could have allowed attackers to disguise the malicious application from Google users and retrieve account tokens to access their data. Astrix, an app-to-app security business, discovered the problem in June last year when OAuth clients, which are GCP projects, were deleted. When the owner or anyone with management authority deletes a GCP project, it enters a 30-day “pending deletion” status, letting the developer to revive it.

Even if they still have access, they are removed from the Google account application administration page when deleted. OAuth-client GCP projects are the same. The user receives an error that the client was destroyed, yet the program can access the account until deleted. Astrix also found that restoring an OAuth client from the “pending deletion” stage re-enables the refresh token created when the user authorized the application. The security firm says this refresh token can be used to gain an access token and access the victim’s data. An attacker might create or take over an OAuth application to access the refresh token. To prevent the victim from uninstalling the program, the attacker could erase the project.

The attacker would restore the project, use the refresh token to receive an access token, and then delete it again to hide the program and make it unremovable to access the victim’s data. According to Astrix, the attack causes the malicious app to be unable to be removed from the Google account. This is because this is the sole location on Google where users can view their applications and deny access for those applications. According to the security firm, the attacker can read the victim’s emails, Google Drive and Photos files, and calendar, track their location, and “give the users pass to the victim’s Google Cloud Platform services” with the access token.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x