GhostToken GCP Vulnerability Allows Attackers to Access Google Accounts

Published on: April 23, 2023
Last Updated: April 23, 2023

GhostToken GCP Vulnerability Allows Attackers to Access Google Accounts

Published on: April 23, 2023
Last Updated: April 23, 2023

Details of a zero-day vulnerability in Google Cloud Platform (GCP), which has since been fixed, were revealed by cybersecurity experts.

This flaw could have allowed malicious actors to hide a malicious application in a victim’s Google account, making it impossible to remove.

Astrix Security, an Israeli cybersecurity firm, has named this vulnerability GhostToken.

It impacts all types of Google accounts, including Workspace accounts designed for businesses.

The flaw was discovered on June 19, 2022, and reported to Google.

However, it took more than nine months for Google to release a universal patch, which was made available on April 7, 2023.

By taking advantage of this vulnerability, malicious applications could be made invisible to the victim after being authorized and linked to an OAuth token, which provides access to the victim’s Google account.

This would allow the attackers to conceal the app from the application management page of Google, which is the only place where Google users can manage apps linked to their accounts.

“The vulnerability allows attackers to convert an already-authorized third-party application into a malicious trojan app, leaving the victim’s personal data exposed forever and granting them permanent and unremovable access to a victim’s Google account.“


As BleepingComputer explains, the vulnerability enables attackers to hide their malicious app from the victim’s Google account application management page, preventing the victim from revoking its access.

This is achieved by deleting the GCP project connected to the authorized OAuth application, putting it in a “pending deletion” state.

With this ability, the attacker can then restore the project, unhide the rogue app, and use the access token to access the victim’s data.

Once done, the attacker can make the app invisible again.

Google has released a patch that addresses the vulnerability by displaying apps in a pending deletion state on the third-party access page, which enables users to revoke the permission granted to these apps.

Additionally, Google Cloud has also fixed a privilege escalation flaw in the Cloud Asset Inventory API called Asset Key Thief.

The flaw allowed attackers to steal user-managed Service Account private keys and gain access to valuable data.

The issue was discovered by SADA in February 2023 and was promptly patched by Google on March 14, 2023.

Stay on top of the latest technology trends — delivered directly to your inbox, free!

Subscription Form Posts

Don't worry, we don't spam

Written by Husain Parvez

Husain has been around the internet ever since the dial-up days and loves writing about everything across the technosphere. He loves reviewing tech, writing about VPNs, and covering Cybersecurity news.