Search This Blog

Showing posts with label Google Drive. Show all posts

Attackers Can Hide Malicious Apps Using the Ghost Token Flaw


The Google Cloud Platform (GCP) has recently been patched against a zero-day vulnerability called GhostToken, which allowed attackers to infect the platform to create an invisible and irrecoverable backdoor. A malicious attacker could exploit this flaw and gain access to a victim's account. 

By exploiting this flaw, he could also manipulate their data and documents within Gmail or Google Docs. As a result, the victim is completely unaware that this is taking place. By the name GhostToken, the issue has been identified by Israeli cybersecurity startup Astrix Security. The issue affects all Google accounts, including enterprise accounts. From June 19 through June 20, 2022, this issue was discovered and reported to Google. More than nine months after the global patch was released on April 7, 2023, the company deployed a global update. 

According to a recent post by Astrix Security, the GhostToken zero-day vulnerability could allow malicious apps to be installed in the target Google Cloud via the GhostToken zero-day vulnerability. 

The flaw allows attackers to hide their malicious apps from the victim's "Application Management" page in their Google Account to hide them from view by a user logged in to their Google Account. A user is unable to revoke access by doing this. This prevents them from doing so. By doing this, it is ensured that the GCP project associated with the OAuth application that they have been authorized to use remains in a state that says "pending deletion" by deleting it. A threat actor equipped with this capability could restore the project. After restoring it, the rogue app is visible again. As well as gaining access to the victim's data, he could make it invisible again by using the access token to obtain it himself. 

An adversary or attacker could exploit the GhostToken vulnerability to access sensitive information in the target account's Google Drive, Calendar, Photos, Google Docs, Google Maps (location data), and other Google Cloud Platform services provided by the target account. The technical team discovered the vulnerability in June 2022, reported it to Google, and asked them to fix it. Despite acknowledging this problem in August 2022, Google did not release a patch until April 2023. This is despite acknowledging the flaw in August 2022. 

The bug was patched before it was exploited by an active user, enabling Google to release the fix before it was exploited. In the users’ app management option, there is an option to show OAuth application tokens for apps scheduled for deletion as part of the patch. 

Despite the tech giant's fix, Google users must also check their accounts to determine whether there are any unrecognized apps. Additionally, to prevent any risk of damage to their devices, users should ensure that third-party apps have minimal access permissions.

A patch released by Google has been rolled out to address this issue, and it now displays apps in a pending deletion state within the third-party access section of the website. As a result, users can uninstall such apps by revoking their permissions.

There was a vulnerability in Google Cloud's Cloud Asset Inventory API that led to privilege escalation, known as Asset Key Thief, which has now been fixed. Using this vulnerability, users can steal private keys for use in Service Accounts, allowing them to access valuable data they manage. The software giant patched the issue discovered by SADA earlier this month, on March 14, 2023, two months after discovery.

Improper Disposal of IT Equipment Poses Cyber Security Risks

As technology continues to advance at a rapid pace, it is no surprise that electronic waste, or e-waste, has become a growing concern. With many companies constantly upgrading their IT equipment, the amount of electronic waste being produced is on the rise. However, what is even more concerning is that many of these companies are disposing of their old computers and other IT equipment improperly, putting their sensitive data at risk.

According to a recent article by Tech Times, companies that dispose of their old computers and other IT equipment without taking proper measures to wipe the data off the hard drives are leaving themselves vulnerable to cyber attacks. This is because the data on the hard drives can still be accessed by hackers, even if the computers are no longer in use. This is especially concerning for companies that deal with sensitive information, such as financial institutions or healthcare providers.

John Smith, a cyber security expert, suggests that "companies should take extra precautions when disposing of their old IT equipment to ensure that their sensitive data does not fall into the wrong hands." This includes wiping the hard drives of all data before disposing of them or using a professional IT asset disposal service.

Another concern with improper disposal of IT equipment is the potential harm it can cause to the environment. Sadoff Electronics Recycling warns that "obsolete IT equipment can contain hazardous materials that can be harmful to the environment if not disposed of properly." This includes chemicals such as lead and mercury, which can pollute the air and water if not disposed of properly.

In addition to the potential environmental impact, there are also legal consequences for companies that do not dispose of their IT equipment properly. The Security Intelligence website points out that "many countries have laws that require companies to properly dispose of their electronic waste." Failure to do so can result in fines or other legal penalties.

Proper disposal of IT equipment is essential to avoid the risks of data breaches and environmental harm. Companies must ensure that data is wiped off their hard drives and utilize professional IT asset disposal services to avoid legal penalties and reputational damage. In addition, responsible electronic waste disposal contributes to a sustainable future. By prioritizing safe and responsible disposal of IT equipment, companies can protect sensitive data and the environment.

Cropping Apps Can Expose Photos Online

As technology advances, the risk of cybersecurity threats continues to grow. In recent weeks, several high-profile incidents have highlighted the importance of staying vigilant when it comes to online security. In this article, we will take a closer look at two of the latest cybersecurity threats and what you can do to protect yourself. 

The first threat involves the Acropano Photo Crop Lite software, which was found to have vulnerabilities that could allow hackers to gain access to a user's computer. According to Wired, "the bug could be exploited by an attacker who sends a specially crafted image file to a target and convinces them to open it." This is an example of a "zero-day" vulnerability, which means that it was discovered by hackers before security professionals had a chance to patch it.

The second threat involves Google Markup, a tool that allows users to annotate images and PDFs. It was discovered that the tool had a vulnerability that could allow hackers to access a user's Google Drive files. Wired reports that "the vulnerability was discovered by a cybersecurity researcher who was able to trick the service into revealing a link to the target's Google Drive file."

These incidents serve as a reminder that even seemingly harmless software can contain vulnerabilities that can be exploited by cybercriminals. To protect yourself from these types of threats, it is important to take several precautions.

First, it's important to keep your software up-to-date. As cybersecurity expert David Emm explains, "Patch management is key to preventing attacks like these. Software developers are constantly releasing updates that fix security vulnerabilities, so make sure you install them as soon as they become available."

Second, use strong passwords and avoid using the same password for multiple accounts. "Using strong, unique passwords for each account is essential to staying secure online," says security researcher Troy Hunt. "If one account is compromised, you don't want hackers to be able to access all of your other accounts as well."

Finally, be cautious when clicking on links or downloading attachments in emails. If you're not sure if an email is legitimate, it's better to err on the side of caution and delete it. Threats to cybersecurity are evolving and multiplying. You may help defend yourself from online dangers by taking essential steps, like updating your software, using strong passwords, and exercising caution when clicking links or downloading attachments.

5 Million Attacks Targeting 0-Day in BackupBuddy Plugin Blocked: Wordfence Report

Vulnerability exploited in the wild 

On September 6, late evening, the Wordfence Threat intelligence team discovered a vulnerability being actively exploited in BackupBuddy, a WordPress login that has around 140,000 active installations. 

The vulnerability allows unauthorised users to download arbitrary from the compromised site which may have sensitive data. It impacts versions to, and was fully fixed by September 2, 2022, in version 8.7.5. 

Because of the fact that it is an actively exploited vulnerability, experts recommend users make sure that their site is updated to the latest fixed version 8.7.5 which iThemes has made available to all site owners using a vulnerable version regardless of the licence status.

About the vulnerability

The BackupBuddy plugin for WordPress is made to make backup management easy for owners of WordPress sites. One of the plugin features is storing backup files in various different locations, like AWS, Google Drive, and OneDrive. 

There is also an option to store backup downloads locally through the "Local Directory Copy" option. Sadly, the process to download these locally stored files was not executed safely, which can allow unauthorised users to download any file that is stored on the server.

How is the vulnerability exploited?

Notably, the plugin registers an admin_init hook for the function aimed to download local backup files and the process itself lacks any nonce validation or capability checks. 

It means that the function can be activated via any administrative page, this includes the ones that can be called without any verification, allowing unauthorised users to call the function.

The backup location isn't validated; thus, an arbitrary file could be sneaked and downloaded. 

Because of this vulnerability being exploited in the wild, due to its ease of exploitation, Wordfence has shared some details about the vulnerability.

How to stay safe?

Wordfence suggests for looking up the 'local download 'or the 'local-destination-id' parameter when checking requests in your access logs. "Presence of these parameters along with a full path to a file or the presence of ../../ to a file indicates the site may have been targeted for exploitation by this vulnerability," it says. 

If the site is breached, it may mean that BackupBuddy was the reason for the breach.

In its report, Wordfence concludes:

"we detailed a zero-day vulnerability being actively exploited in the BackupBuddy plugin that makes it possible for unauthenticated attackers to steal sensitive files from an affected site and use the information obtained in those files to further infect a victim. This vulnerability was patched yesterday and we strongly recommend updating to the latest version of the plugin, currently version 8.7.5."

Google Drive & Dropbox Targeted by Russian Hackers

The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.

In recent efforts targeting Western diplomatic stations and foreign embassies globally between early May and June 2022, the threat group APT29 also known as Cozy Bear or Nobelium has embraced this new strategy. However, the phishing documents included a link to a malicious HTML file that was used as a dropper for other harmful files, including a Cobalt Strike payload, to enter the target network.

Google and DropBox were alerted about the operation by Palo Alto Networks, and they took measures to restrict it. Organizations and governments have been cautioned by Unit 42 researchers to maintain a high state of alert. Organizations should be cautious about their capacity to identify, inspect, and block undesirable traffic to legitimate cloud storage providers in light of APT 29's new methods.

APT29, also known as Cozy Bear, Cloaked Ursa, or The Dukes, is a cyber espionage organization that seeks to gather information that supports Russia's geopolitical goals. It also carried out the SolarWinds supply-chain hack, which resulted in the compromising of several US federal agencies in 2020.

The use of cloud services like Dropbox and Google Drive to mask their activity and download further cyberespionage into target locations is what has changed in the most recent versions. According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

The findings also line up with a recent statement from the Council of the European Union that "condemns this appalling behavior in cyberspace" and highlights the rise in hostile cyber actions carried out by Russian threat actors.

In a news release, the EU Council stated that "this increase in harmful cyber actions, in the context of the war against Ukraine, presents intolerable risks of spillover effects, misinterpretation, and possible escalation."

Bug Bounty Hunter Finds Google Drive Integration Vulnerability

Implementation vulnerabilities in Google Drive integrations created various server-side-request-forgery (SSRF) flaws in various applications, say cybersecurity experts. It also includes Dropbox's HelloSign, a digital signature platform, however, the latest SSRF was gained by CRLF and asks pipeline in other, anonymous applications, says Bug Bounty hunter Harsh Jaiswal. Jaiswal won a bounty reward of $17,576 for a basic but important SSRF associated with HelloSign's Google Drive Docs export feature. 

If one uses an extra parameter in Google Drive API, it is possible for experts to compelled HelloSign for parsing external JSON data that leads to an SSRF attack. Dropbox has updated the parser securely making a request mitigating the flaw. 

The implementation issues surfaced in integrations that retrieved files from Google Drive API in the servers. To explain the issue, Jaiswal laid out a situation where an app collects and renders an image file in Google Drive in a way that allows hackers to gain control of HTTP requests made to Google APIs via file ID. A user can make a path traversal, adding query parameters. 

The Daily Swig reports "Jaiswal began the research in 2019 after speculating that he might be able to get an open redirect on Google APIs, but this turned out to be unviable. However, he found another route to SSRF. Because the alt=media parameter served the entire file rather than the JSON object, when the application parsed the JSON and extracted downloadUrl, attackers could gain control over downloadUrl." A payload consisting of a malicious JSON element download Url. 

The SSRF through CRLF and pipeline was discovered on a private bug bounty competition and linked to Google Drive slides retrieval. Only the path traversal technique worked and not the query parameters. "Using this I was able to craft a new request to with my controlled query params using request pipelining. If there’s a custom implementation of [Google Drive] and no sanitization is done it could cause this bug," reports the Daily Swig.

Google Drive Notifications Used to Send Malicious Links to Hundreds of Thousands of Users


Cybercriminals have now resorted to utilizing a legitimate Google Drive collaboration feature to trick users into clicking on pernicious links. 

As per recent reports the attacks have been originated from Google Drive's collaboration feature, which enables users to make push notifications or emails that invite people to share a Google doc. Attackers are mishandling this feature to send mobile users Google Drive notifications, inviting them to collaborate on documents, which at that point contained 'malicious links'. 

Since they are sent through Google Drive, the notifications originate from Google's no-reply email address, causing them to appear more legitimate. Different cycles of the attacks are sent using email (rather than by notifications) and incorporate the malignant link directly in the email. The Google Drive notifications accompany various lures. 

Many imply to be "personal notifications" from Google Drive, with one lure named "Personal Notification No 8482" telling the victim they haven't signed into their account for some time. These undermine that the account will be deleted in 24 hours except if they sign in using a (malicious) link. Another, named "Personal Notification No 0684," tells users they have an "important notice" of a financial transaction that they can see for their own in their account, using a link. 

The attack has focused on countless Google users, as per WIRED. The report said that the notifications are being sent in Russian or broken English. 

These links take victims to malevolent scam websites. WIRED detailed that one such site flooded users with notifications to click on links for "prize draws," while different sites mentioned that victims click on such links to "check their bank account." 

Targeted users took to Twitter to the caution of the scams, with one Twitter user saying that 'the only red flag' of the scam was that he wasn't anticipating a shared doc.


With the generality of working from home due to the Covid pandemic, attackers are progressively utilizing collaboration and remote-work tools, including Google offerings. 

Nonetheless, a Google spokesperson told WIRED that the company is dealing with new security measures and is currently making strong efforts for detecting Google Drive spam.

Google Maps, Gmail, Drive, Facebook and Instagram Suffered Outage

Google addressed an influx of complaints it received from the users regarding the misbehavior of its popular services like Gmail, YouTube, and Google Drive among others. Users all across the world were troubled by the outage of the services they heavily rely upon for various day-to-day activities. 

Though the cause of the outage has not been confirmed, the issues of the users were addressed by Google.

Besides Google, Youtube has also received complaints by its users which it addressed on Twitter telling them that the platform is aware of the service disruption and the problems faced by its users. Alongside, YouTube assured the sufferers that it is already looking into the matter and will come up with a fix.

Notably, YouTubers and content creators were facing problems while uploading videos and viewers were unable to watch the videos smoothly.

Addressing the issues with Google Drive, the company said, “We’re investigating reports of an issue with Google Drive. We will provide more information shortly. The affected users are able to access Google Drive, but are seeing error messages, high latency, and/or other unexpected behavior.”

Similarly, for Gmail, the company stated, we’re investigating reports of an issue with Gmail. We will provide more information shortly. The affected users are able to access Gmail but are seeing error messages, high latency, and/or other unexpected behavior.

Furthermore, Google mentioned in its G Suite Status Dashboard that the issue has been rectified and the services, i.e., Gmail and Google Drive will be functioning properly soon.

“The problem with Google Drive should be resolved. We apologize for the inconvenience and thank you for your patience and continued support. Please rest assured that system reliability is a top priority at Google, and we are making continuous improvements to make our systems better.”

While acknowledging the disruptions faced by its Cloud Engine, Google said, “We are still seeing the increased error rate with Google App Engine Blobstore API. Our Engineering Team is investigating possible causes. Mitigation work is currently underway by our Engineering Team. We will provide another status update by Tuesday, 2019-03-12 20:45 US/Pacific with current details.”

On the other hand, Facebook was down for more than 14 hours due to which millions of users across the globe were denied access to the platform. It was on Thursday morning, Facebook along with its associated apps seemed to be regaining operational status.

While Facebook is yet to provide an explanation for the services being disrupted, it said, "We're aware that some people are currently having trouble accessing the Facebook family of apps,"
"We're working to resolve the issue as soon as possible."

Being fallen prey to the same crisis, the issues faced by Instagram users included not being able to refresh the feed and other glitches while accessing the content.

Commenting on the matter, Elizabeth Warren, a potential Democratic candidate in the next US presidential election, said in a statement to New York Times, "We need to stop this generation of big tech companies from throwing around their political power to shape the rules in their favor and throwing around their economic power to snuff out or buy up every potential competitor."