GhostToken: Exploiting Google Cloud Platform App Infrastructure to Create Unremovable Trojan Apps

Presented at DEF CON 31 (2023), Aug. 11, 2023, noon (20 minutes)

In this talk, we will present a 0-day vulnerability found in the Google Cloud Platform (GCP) affecting all Google users, which allowed a malicious app to become invisible and unremovable, effectively leaving a Google user’s account infected with a backdoor app forever. The talk will start by reviewing the world of 3rd-party apps in Cloud platforms: the OAuth 2.0 standard, consent, scoped authorization, the types of tokens, and how data is accessed. Shifting the focus on Google, as one of the biggest cloud service providers supporting OAuth 2.0, we will show how 3rd-party apps are created, developed, and managed in Google (you will even get to manage yours in real time). We will discuss how Google relatively recently moved from the standard registration model, to forcibly linking the creation apps to Google Cloud Platform (GCP), hoping to push developers into using one of the GCP services for app development. We will then give a complete technical overview of a 0-day vulnerability found in GCP, dubbed 'GhostToken': The research of the aforementioned connection between apps in Google and GCP, which culminated in finding the ability to force an app to go into a limbo-like, “pending deletion” state, during which the app’s tokens are mishandled. We will show an exploitation of the vulnerability which enables an attacker to hide their authorized app from the user’s management page, causing it to become invisible and unremovable, while still having access to the user’s data. Finally, we will share how Google Workspace’s administrators could detect apps that potentially exploited the GhostToken vulnerability, as well as actions organization implementing 3rd-party access to their users' data can take to avoid making such mistakes, The talk will close with a discussion about the common abuse of and deviation from the OAuth standard by large providers, and propose a possible solution for supporting and implementing apps for large cloud providers. Familiarity with GCP and different OAuth 2.0 flows will help understand the concepts, but it is not required as the talk is self-contained. REFERENCES: * The OAuth 2.0 Authorization Framework: https://datatracker.ietf.org/doc/html/rfc6749 * Using OAuth 2.0 to Access Google APIs: https://developers.google.com/identity/protocols/oauth2 * Manage third-party apps & services with access to your (Google) account: https://support.google.com/accounts/answer/3466521#remove-access

Presenters:

• Tal Skverer - Security Research Team Lead at Astrix Security
  Tal holds an M.Sc. in Computer Science from the Weizmann Institute and has a decade of experience in reverse engineering, malware analysis, embedded security, web hacking, cryptography and pentesting. Biannually, Tal teaches workshops on assembly language, reverse engineering and blackbox research. Tal Skverer is a Senior Researcher at Astrix Security, where he challenges cloud platforms' defenses and mitigations. At his previous job, he hacked vehicle computers on a daily basis, and is also known for being one of the researchers that broke PokemonGo's anti-cheating system in 2016.

Links:

• https://forum.defcon.org/node/245707

Similar Presentations:

• BSidesLV 2023 / Beyond the Perimeter: Uncovering the Hidden Threat of Data Exfiltration in Google Cloud Platform
• SAINTCON 2019 / May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
• ToorCon San Diego TwentyOne (2019) / May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)